Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report XQehPgTn35.exe

Overview

General Information

Sample Name:XQehPgTn35.exe
Analysis ID:433012
MD5:595c00bf9ca4baa42b4490f2782cf2d3
SHA1:d1441cc336655f36efc3db070f84701a1f68e51a
SHA256:6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file has nameless sections
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XQehPgTn35.exe (PID: 6468 cmdline: 'C:\Users\user\Desktop\XQehPgTn35.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
    • server.exe (PID: 6616 cmdline: 'C:\Windows\server.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
      • netsh.exe (PID: 6700 cmdline: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 3544 cmdline: netsh firewall delete allowedprogram 'C:\Windows\server.exe' MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5700 cmdline: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Microsoft Corporation.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
  • Google.exe (PID: 6716 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "714bcaf02dc680243f761ccdcdc54f71", "Install Dir": "system 32", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "[i]", "Port": "MTU0MDkg", "Network Seprator": "714bcaf02dc680243f761ccdcdc54f71", "Mutex Name": "False", "BSOD Active": "MTU0MDkg", "Pastebin Link": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
XQehPgTn35.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\SublimeText.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
Click to see the 11 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x1585d:$reg: SEE_MASK_NOZONECHECKS
    • 0x154e3:$msg: Execute ERROR
    • 0x15537:$msg: Execute ERROR
    • 0x15aaf:$ping: cmd.exe /c ping 0 -n 2 & del
    0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x1585d:$reg: SEE_MASK_NOZONECHECKS
      • 0x154e3:$msg: Execute ERROR
      • 0x15537:$msg: Execute ERROR
      • 0x15aaf:$ping: cmd.exe /c ping 0 -n 2 & del
      00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.server.exe.9c0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        11.0.Microsoft Corporation.exe.da0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        0.0.XQehPgTn35.exe.ae0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        14.0.Google.exe.1310000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        0.2.XQehPgTn35.exe.ae0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Netsh Port or Application AllowedShow sources
          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Windows\server.exe' , ParentImage: C:\Windows\server.exe, ParentProcessId: 6616, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, ProcessId: 6700

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: XQehPgTn35.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Windows\server.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\system 32.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\SublimeText.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Found malware configurationShow sources
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "714bcaf02dc680243f761ccdcdc54f71", "Install Dir": "system 32", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "[i]", "Port": "MTU0MDkg", "Network Seprator": "714bcaf02dc680243f761ccdcdc54f71", "Mutex Name": "False", "BSOD Active": "MTU0MDkg", "Pastebin Link": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: 4.tcp.ngrok.ioVirustotal: Detection: 12%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeVirustotal: Detection: 44%Perma Link
          Source: C:\Program Files (x86)\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Program Files (x86)\Google.exeReversingLabs: Detection: 61%
          Source: C:\SublimeText.exeMetadefender: Detection: 42%Perma Link
          Source: C:\SublimeText.exeReversingLabs: Detection: 61%
          Source: C:\Umbrella.flv.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Umbrella.flv.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeReversingLabs: Detection: 61%
          Multi AV Scanner detection for submitted fileShow sources
          Source: XQehPgTn35.exeVirustotal: Detection: 44%Perma Link
          Source: XQehPgTn35.exeMetadefender: Detection: 42%Perma Link
          Source: XQehPgTn35.exeReversingLabs: Detection: 61%
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Windows\server.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\system 32.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Umbrella.flv.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\SublimeText.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: XQehPgTn35.exeJoe Sandbox ML: detected
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.2.XQehPgTn35.exe.afc000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 14.2.Google.exe.132c000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 14.2.Google.exe.1310000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 11.2.Microsoft Corporation.exe.dbc000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpackAvira: Label: TR/Dropper.Gen

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeUnpacked PE file: 0.2.XQehPgTn35.exe.ae0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeUnpacked PE file: 11.2.Microsoft Corporation.exe.da0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeUnpacked PE file: 14.2.Google.exe.1310000.0.unpack
          Source: XQehPgTn35.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Spreading:

          barindex
          Contains functionality to spread to USB devices (.Net source)Show sources
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, Usb1.cs.Net Code: infect
          Source: 14.2.Google.exe.1310000.0.unpack, Usb1.cs.Net Code: infect
          Creates autorun.inf (USB autostart)Show sources
          Source: C:\Windows\server.exeFile created: C:\autorun.infJump to behavior
          Source: XQehPgTn35.exeBinary or memory string: [autorun]
          Source: XQehPgTn35.exeBinary or memory string: \autorun.inf
          Source: XQehPgTn35.exeBinary or memory string: autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: \autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: [autorun]
          Source: Google.exeBinary or memory string: [autorun]
          Source: Google.exeBinary or memory string: \autorun.inf
          Source: Google.exeBinary or memory string: autorun.inf
          Source: autorun.inf.2.drBinary or memory string: [autorun]
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00D67A2C FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49727 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49729 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49730 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49731 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49732 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49733 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49734 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49735 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49736 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49737 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49738 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49739 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49740 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49741 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49742 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49743 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49744 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49745 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49746 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49747 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49748 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49749 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49750 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49751 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49752 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49753 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49754 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49755 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49756 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49757 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49758 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49759 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49760 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49761 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49762 -> 3.138.180.119:15409
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: [i]
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 3.136.65.236 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 3.129.187.220 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 3.138.180.119 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 192.168.2.3:49727 -> 3.138.180.119:15409
          Source: global trafficTCP traffic: 192.168.2.3:49730 -> 3.129.187.220:15409
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 3.136.65.236:15409
          Source: Joe Sandbox ViewIP Address: 3.129.187.220 3.129.187.220
          Source: Joe Sandbox ViewIP Address: 3.138.180.119 3.138.180.119
          Source: Joe Sandbox ViewIP Address: 3.136.65.236 3.136.65.236
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownDNS traffic detected: queries for: 4.tcp.ngrok.io
          Source: Google.exe, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/
          Source: XQehPgTn35.exe, 00000000.00000002.201116536.0000000000AFC000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.254136129.0000000000DBC000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
          Source: Microsoft Corporation.exe, 0000000B.00000002.253950253.0000000000C4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\XQehPgTn35.exeWindow created: window name: CLIPBRDWNDCLASS
          Source: C:\Windows\server.exeWindow created: window name: CLIPBRDWNDCLASS
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeWindow created: window name: CLIPBRDWNDCLASS
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeWindow created: window name: CLIPBRDWNDCLASS

          E-Banking Fraud:

          barindex
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          PE file has nameless sectionsShow sources
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: C:\Windows\server.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Windows\server.exeJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00AE2050
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594298
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03595459
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594B5B
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359505D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594544
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359536F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359470F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03595000
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594630
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594936
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594F2F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035947D4
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035949F9
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035944F1
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035950E3
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359499D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594F9D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594C8F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594287
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeCode function: 11_2_00DA2050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeCode function: 14_2_01312050
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: String function: 00B00264 appears 61 times
          Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmpBinary or memory string: originalfilename vs XQehPgTn35.exe
          Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs XQehPgTn35.exe
          Source: XQehPgTn35.exe, 00000000.00000002.204526243.0000000006400000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs XQehPgTn35.exe
          Source: XQehPgTn35.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: XQehPgTn35.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\SublimeText.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\system 32.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Windows\server.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.server.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.0.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.0.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.0.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: XQehPgTn35.exeStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: XQehPgTn35.exeStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: server.exe.0.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: server.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: Google.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: Google.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: Microsoft Corporation.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: Microsoft Corporation.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: classification engineClassification label: mal100.spre.troj.adwa.evad.winEXE@14/27@35/3
          Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\Google.exeJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
          Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\714bcaf02dc680243f761ccdcdc54f71
          Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_01
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\server.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\server.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: XQehPgTn35.exeVirustotal: Detection: 44%
          Source: XQehPgTn35.exeMetadefender: Detection: 42%
          Source: XQehPgTn35.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile read: C:\Users\user\Desktop\XQehPgTn35.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\XQehPgTn35.exe 'C:\Users\user\Desktop\XQehPgTn35.exe'
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess created: C:\Windows\server.exe 'C:\Windows\server.exe'
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram 'C:\Windows\server.exe'
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe'
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess created: C:\Windows\server.exe 'C:\Windows\server.exe'
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram 'C:\Windows\server.exe'
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: XQehPgTn35.exeStatic file information: File size 1143296 > 1048576
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeUnpacked PE file: 0.2.XQehPgTn35.exe.ae0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeUnpacked PE file: 11.2.Microsoft Corporation.exe.da0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeUnpacked PE file: 14.2.Google.exe.1310000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeUnpacked PE file: 0.2.XQehPgTn35.exe.ae0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeUnpacked PE file: 11.2.Microsoft Corporation.exe.da0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeUnpacked PE file: 14.2.Google.exe.1310000.0.unpack
          .NET source code contains potential unpackerShow sources
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, Stub/Fransesco.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, Stub/Fransesco.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 14.2.Google.exe.1310000.0.unpack, Stub/Fransesco.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B09089 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B09075 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B091FF push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B18104 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C2A8 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B153A0 push 00B15400h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C394 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C3F4 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B043EA push 00B04418h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B093D9 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B1832C push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B09311 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C355 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B04494 push 00B044C0h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B1549B push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B15484 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B1848C push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B044F8 push 00B0452Ch; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C4E4 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B04424 push 00B04450h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B09453 push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B16454 push 00B164A1h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0445C push 00B04488h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0945F push ss; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C448 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B18448 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B025F0 push 00B02641h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B14536 push 00B145B5h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C514 push es; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B15577 push 00B155A4h; ret
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00B0C55C push 00B0C6D8h; ret
          Source: initial sampleStatic PE information: section name: entropy: 7.97927562362
          Source: initial sampleStatic PE information: section name: .data entropy: 7.9850157277
          Source: initial sampleStatic PE information: section name: entropy: 7.97927562362
          Source: initial sampleStatic PE information: section name: .data entropy: 7.9850157277
          Source: initial sampleStatic PE information: section name: entropy: 7.97927562362
          Source: initial sampleStatic PE information: section name: .data entropy: 7.9850157277
          Source: initial sampleStatic PE information: section name: entropy: 7.97927562362
          Source: initial sampleStatic PE information: section name: .data entropy: 7.9850157277
          Source: initial sampleStatic PE information: section name: entropy: 7.97927562362
          Source: initial sampleStatic PE information: section name: .data entropy: 7.9850157277

          Persistence and Installation Behavior:

          barindex
          Drops PE files to the document folder of the userShow sources
          Source: C:\Windows\server.exeFile created: C:\Users\user\Documents\Google.exeJump to dropped file
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeExecutable created and started: C:\Windows\server.exe
          Source: C:\Windows\server.exeFile created: C:\Users\user\Desktop\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\Documents\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\Favorites\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Umbrella.flv.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Windows\SysWOW64\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\SublimeText.exeJump to dropped file
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Windows\server.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\system 32.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Windows\SysWOW64\Google.exeJump to dropped file
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Windows\server.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the startup folderShow sources
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeJump to behavior
          Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\server.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\XQehPgTn35.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\server.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\XQehPgTn35.exeWindow / User API: threadDelayed 718
          Source: C:\Windows\server.exeWindow / User API: threadDelayed 404
          Source: C:\Windows\server.exeWindow / User API: threadDelayed 398
          Source: C:\Windows\server.exeWindow / User API: foregroundWindowGot 567
          Source: C:\Users\user\Desktop\XQehPgTn35.exe TID: 6472Thread sleep count: 718 > 30
          Source: C:\Users\user\Desktop\XQehPgTn35.exe TID: 6572Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\server.exe TID: 6652Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\server.exe TID: 6780Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 5696Thread sleep count: 91 > 30
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 2100Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe TID: 6744Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00D67A2C FindFirstFileA,
          Source: C:\Users\user\Desktop\XQehPgTn35.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\server.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: Google.exeBinary or memory string: VBoxService.exe
          Source: XQehPgTn35.exe, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmpBinary or memory string: ~VirtualMachineTypes
          Source: XQehPgTn35.exe, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
          Source: Google.exeBinary or memory string: VMWare
          Source: XQehPgTn35.exe, 00000000.00000002.201236294.0000000000C42000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.255054974.0000000000F02000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286192987.0000000001472000.00000040.00020000.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
          Source: Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpBinary or memory string: &VBoxService.exe
          Source: C:\Windows\server.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeThread information set: HideFromDebugger
          Source: C:\Windows\server.exeThread information set: HideFromDebugger
          Source: C:\Windows\server.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeThread information set: HideFromDebugger
          Source: C:\Windows\server.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\XQehPgTn35.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\XQehPgTn35.exeProcess created: C:\Windows\server.exe 'C:\Windows\server.exe'
          Source: XQehPgTn35.exe, 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmpBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
          Source: XQehPgTn35.exe, 00000000.00000002.204294219.0000000005F3B000.00000004.00000001.sdmp, Microsoft Corporation.exe, 0000000B.00000002.257313375.00000000036C1000.00000004.00000001.sdmp, Google.exe, 0000000E.00000002.288890371.00000000032F6000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: XQehPgTn35.exe, Microsoft Corporation.exe, Google.exeBinary or memory string: Shell_TrayWnd
          Source: XQehPgTn35.exe, Microsoft Corporation.exe, Google.exeBinary or memory string: ProgMan
          Source: XQehPgTn35.exe, 00000000.00000002.202841791.0000000003E63000.00000004.00000001.sdmp, Microsoft Corporation.exe, 0000000B.00000002.257313375.00000000036C1000.00000004.00000001.sdmp, Google.exe, 0000000E.00000002.288890371.00000000032F6000.00000004.00000001.sdmpBinary or memory string: kredProgram Manager
          Source: XQehPgTn35.exe, 00000000.00000002.204294219.0000000005F3B000.00000004.00000001.sdmp, Microsoft Corporation.exe, 0000000B.00000002.257529987.000000000598B000.00000004.00000001.sdmp, Google.exe, 0000000E.00000002.289379384.000000000557B000.00000004.00000001.sdmpBinary or memory string: rdProgram Manager
          Source: XQehPgTn35.exe, Microsoft Corporation.exe, Google.exeBinary or memory string: Shell_traywnd
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: GetLocaleInfoA,
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Disables the Windows task manager (taskmgr)Show sources
          Source: C:\Windows\server.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
          Modifies the windows firewallShow sources
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE

          Stealing of Sensitive Information:

          barindex
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Replication Through Removable Media21Windows Management InstrumentationStartup Items1Startup Items1Masquerading132Input Capture1Security Software Discovery211Replication Through Removable Media21Input Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder12Process Injection12Disable or Modify Tools31LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder12Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsPeripheral Device Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing33DCSyncFile and Directory Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433012 Sample: XQehPgTn35.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 52 4.tcp.ngrok.io 2->52 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 15 other signatures 2->60 9 XQehPgTn35.exe 7 2->9         started        13 Google.exe 3 2->13         started        15 Microsoft Corporation.exe 3 2->15         started        signatures3 process4 file5 42 C:\Windows\server.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\XQehPgTn35.exe.log, ASCII 9->44 dropped 70 Detected unpacking (changes PE section rights) 9->70 72 Detected unpacking (overwrites its own PE header) 9->72 74 Drops executables to the windows directory (C:\Windows) and starts them 9->74 17 server.exe 2 24 9->17         started        76 Hides threads from debuggers 13->76 signatures6 process7 dnsIp8 46 3.129.187.220, 15409, 49730, 49731 AMAZON-02US United States 17->46 48 3.136.65.236, 15409, 49748, 49749 AMAZON-02US United States 17->48 50 4.tcp.ngrok.io 3.138.180.119, 15409, 49727, 49729 AMAZON-02US United States 17->50 34 C:\system 32.exe, PE32 17->34 dropped 36 C:\Users\user\Documentsbehaviorgraphoogle.exe, PE32 17->36 dropped 38 C:\Users\user\...\Microsoft Corporation.exe, PE32 17->38 dropped 40 13 other files (10 malicious) 17->40 dropped 62 Antivirus detection for dropped file 17->62 64 Drops PE files to the document folder of the user 17->64 66 Creates autorun.inf (USB autostart) 17->66 68 6 other signatures 17->68 22 netsh.exe 1 3 17->22         started        24 netsh.exe 3 17->24         started        26 netsh.exe 3 17->26         started        file9 signatures10 process11 process12 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          XQehPgTn35.exe44%VirustotalBrowse
          XQehPgTn35.exe43%MetadefenderBrowse
          XQehPgTn35.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          XQehPgTn35.exe100%AviraHEUR/AGEN.1128047
          XQehPgTn35.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Windows\server.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\system 32.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Umbrella.flv.exe100%AviraHEUR/AGEN.1128047
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%AviraHEUR/AGEN.1128047
          C:\SublimeText.exe100%AviraHEUR/AGEN.1128047
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Windows\server.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\system 32.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Umbrella.flv.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe100%Joe Sandbox ML
          C:\SublimeText.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google.exe44%VirustotalBrowse
          C:\Program Files (x86)\Google.exe43%MetadefenderBrowse
          C:\Program Files (x86)\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\SublimeText.exe43%MetadefenderBrowse
          C:\SublimeText.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Umbrella.flv.exe43%MetadefenderBrowse
          C:\Umbrella.flv.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Local\Google.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Local\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe62%ReversingLabsWin32.Backdoor.Bladabhindi
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe43%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe62%ReversingLabsWin32.Backdoor.Bladabhindi

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.2.Microsoft Corporation.exe.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
          14.0.Google.exe.1310000.0.unpack100%AviraHEUR/AGEN.1128047Download File
          0.2.XQehPgTn35.exe.afc000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          14.2.Google.exe.132c000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          14.2.Google.exe.1310000.0.unpack100%AviraTR/Dropper.GenDownload File
          11.2.Microsoft Corporation.exe.dbc000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          2.0.server.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1128047Download File
          0.0.XQehPgTn35.exe.ae0000.0.unpack100%AviraHEUR/AGEN.1128047Download File
          11.0.Microsoft Corporation.exe.da0000.0.unpack100%AviraHEUR/AGEN.1128047Download File
          0.2.XQehPgTn35.exe.ae0000.0.unpack100%AviraTR/Dropper.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          4.tcp.ngrok.io12%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.enigmaprotector.com/1%VirustotalBrowse
          http://www.enigmaprotector.com/0%Avira URL Cloudsafe
          [i]0%Avira URL Cloudsafe
          http://www.enigmaprotector.com/openU1%VirustotalBrowse
          http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          4.tcp.ngrok.io
          		3.138.180.119
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          [i]true
          • Avira URL Cloud: safe
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.enigmaprotector.com/Google.exe, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.enigmaprotector.com/openUXQehPgTn35.exe, 00000000.00000002.201116536.0000000000AFC000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.254136129.0000000000DBC000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          3.129.187.220
          		unknownUnited States
          		16509AMAZON-02UStrue
          3.138.180.119
          		4.tcp.ngrok.ioUnited States
          		16509AMAZON-02UStrue
          3.136.65.236
          		unknownUnited States
          		16509AMAZON-02UStrue

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:433012
          Start date:11.06.2021
          Start time:05:37:10
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 11m 8s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:XQehPgTn35.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.spre.troj.adwa.evad.winEXE@14/27@35/3
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 7.6% (good quality ratio 7.4%)
          • Quality average: 74%
          • Quality standard deviation: 24.4%
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 40.88.32.150, 104.42.151.234, 13.88.21.125, 23.218.208.56
          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcoleus15.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          05:38:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe
          05:38:12AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
          05:38:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          3.129.187.220FiYBg9R8m0.exeGet hashmaliciousBrowse
            BWAlL8lrQb.exeGet hashmaliciousBrowse
              H4Q0I1RIuW.exeGet hashmaliciousBrowse
                CpOFmSHBGH.exeGet hashmaliciousBrowse
                  GBtiwIB30h.exeGet hashmaliciousBrowse
                    63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exeGet hashmaliciousBrowse
                      D3AAB88BB737961C971ED047B4C2D5B640EFF8E678781.exeGet hashmaliciousBrowse
                        DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exeGet hashmaliciousBrowse
                          tmkfdBpwAx.exeGet hashmaliciousBrowse
                            J6wDHe2QdA.exeGet hashmaliciousBrowse
                              LGKacQbjeH.exeGet hashmaliciousBrowse
                                qiCot2DU55.exeGet hashmaliciousBrowse
                                  YZJfsPAFBJ.exeGet hashmaliciousBrowse
                                    aYqoy7xF7y.exeGet hashmaliciousBrowse
                                      Krtw4Kl87V.exeGet hashmaliciousBrowse
                                        PsbfBdoToY.exeGet hashmaliciousBrowse
                                          BcaDguoEzV.exeGet hashmaliciousBrowse
                                            Oct Invoices 8984.exeGet hashmaliciousBrowse
                                              Invoices 489.exeGet hashmaliciousBrowse
                                                Invoices 073.exeGet hashmaliciousBrowse
                                                  3.138.180.119BWAlL8lrQb.exeGet hashmaliciousBrowse
                                                    0BFE93ABC8B3801B7E906960F6D69CC51088B76544EFC.exeGet hashmaliciousBrowse
                                                      ooAUh9ba7E.exeGet hashmaliciousBrowse
                                                        A6FAm1ae1j.exeGet hashmaliciousBrowse
                                                          GBtiwIB30h.exeGet hashmaliciousBrowse
                                                            vZvmgrCXam.exeGet hashmaliciousBrowse
                                                              DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exeGet hashmaliciousBrowse
                                                                tmkfdBpwAx.exeGet hashmaliciousBrowse
                                                                  J6wDHe2QdA.exeGet hashmaliciousBrowse
                                                                    LGKacQbjeH.exeGet hashmaliciousBrowse
                                                                      aYqoy7xF7y.exeGet hashmaliciousBrowse
                                                                        Krtw4Kl87V.exeGet hashmaliciousBrowse
                                                                          zOlLBCUG9R.exeGet hashmaliciousBrowse
                                                                            ysJ2pAd54Z.exeGet hashmaliciousBrowse
                                                                              rQMm2jZD.exeGet hashmaliciousBrowse
                                                                                BcaDguoEzV.exeGet hashmaliciousBrowse
                                                                                  3.136.65.236H4Q0I1RIuW.exeGet hashmaliciousBrowse
                                                                                    ooAUh9ba7E.exeGet hashmaliciousBrowse
                                                                                      CpOFmSHBGH.exeGet hashmaliciousBrowse
                                                                                        GBtiwIB30h.exeGet hashmaliciousBrowse
                                                                                          63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exeGet hashmaliciousBrowse
                                                                                            DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exeGet hashmaliciousBrowse
                                                                                              tmkfdBpwAx.exeGet hashmaliciousBrowse
                                                                                                J6wDHe2QdA.exeGet hashmaliciousBrowse
                                                                                                  LGKacQbjeH.exeGet hashmaliciousBrowse
                                                                                                    qiCot2DU55.exeGet hashmaliciousBrowse
                                                                                                      yEh8mVeLA6.exeGet hashmaliciousBrowse
                                                                                                        XFdEhEAPeE.exeGet hashmaliciousBrowse
                                                                                                          YZJfsPAFBJ.exeGet hashmaliciousBrowse
                                                                                                            aYqoy7xF7y.exeGet hashmaliciousBrowse
                                                                                                              YFZX6dTsiT.exeGet hashmaliciousBrowse
                                                                                                                rQMm2jZD.exeGet hashmaliciousBrowse
                                                                                                                  mNxVbma4uT.exeGet hashmaliciousBrowse
                                                                                                                    BcaDguoEzV.exeGet hashmaliciousBrowse
                                                                                                                      Invoices 485.exeGet hashmaliciousBrowse
                                                                                                                        Invoices 489.exeGet hashmaliciousBrowse

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                          4.tcp.ngrok.ioFiYBg9R8m0.exeGet hashmaliciousBrowse
                                                                                                                          • 3.133.207.110
                                                                                                                          BWAlL8lrQb.exeGet hashmaliciousBrowse
                                                                                                                          • 3.129.187.220
                                                                                                                          0BFE93ABC8B3801B7E906960F6D69CC51088B76544EFC.exeGet hashmaliciousBrowse
                                                                                                                          • 3.138.180.119
                                                                                                                          H4Q0I1RIuW.exeGet hashmaliciousBrowse
                                                                                                                          • 3.129.187.220
                                                                                                                          ooAUh9ba7E.exeGet hashmaliciousBrowse
                                                                                                                          • 3.133.207.110
                                                                                                                          A6FAm1ae1j.exeGet hashmaliciousBrowse
                                                                                                                          • 3.133.207.110
                                                                                                                          CpOFmSHBGH.exeGet hashmaliciousBrowse
                                                                                                                          • 3.133.207.110
                                                                                                                          GBtiwIB30h.exeGet hashmaliciousBrowse
                                                                                                                          • 3.22.15.135
                                                                                                                          vZvmgrCXam.exeGet hashmaliciousBrowse
                                                                                                                          • 3.138.180.119
                                                                                                                          63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exeGet hashmaliciousBrowse
                                                                                                                          • 3.136.65.236
                                                                                                                          D3AAB88BB737961C971ED047B4C2D5B640EFF8E678781.exeGet hashmaliciousBrowse
                                                                                                                          • 3.22.15.135
                                                                                                                          DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exeGet hashmaliciousBrowse
                                                                                                                          • 3.129.187.220
                                                                                                                          tmkfdBpwAx.exeGet hashmaliciousBrowse
                                                                                                                          • 3.131.147.49
                                                                                                                          J6wDHe2QdA.exeGet hashmaliciousBrowse
                                                                                                                          • 3.136.65.236
                                                                                                                          LGKacQbjeH.exeGet hashmaliciousBrowse
                                                                                                                          • 3.138.180.119
                                                                                                                          qiCot2DU55.exeGet hashmaliciousBrowse
                                                                                                                          • 3.136.65.236
                                                                                                                          yEh8mVeLA6.exeGet hashmaliciousBrowse
                                                                                                                          • 3.136.65.236
                                                                                                                          XFdEhEAPeE.exeGet hashmaliciousBrowse
                                                                                                                          • 3.136.65.236
                                                                                                                          YZJfsPAFBJ.exeGet hashmaliciousBrowse
                                                                                                                          • 3.131.147.49
                                                                                                                          T91uHSVq.exeGet hashmaliciousBrowse
                                                                                                                          • 3.131.147.49

                                                                                                                          ASN

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                          AMAZON-02USE1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          crt9O3URua.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          E1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 52.218.105.219
                                                                                                                          DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          lTAPQJikGw.exeGet hashmaliciousBrowse
                                                                                                                          • 99.83.154.118
                                                                                                                          SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                                                                          • 44.227.65.245
                                                                                                                          SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          Letter 1019.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                          • 143.204.98.37
                                                                                                                          Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                          • 75.2.26.18
                                                                                                                          U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                          • 108.128.238.226
                                                                                                                          Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          Docc.htmlGet hashmaliciousBrowse
                                                                                                                          • 13.224.99.74
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.209.246.140
                                                                                                                          Sleek_Free.exeGet hashmaliciousBrowse
                                                                                                                          • 143.204.209.58
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.216.141.230
                                                                                                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                                                                                                          • 15.236.176.210
                                                                                                                          WV Northern Community College.docxGet hashmaliciousBrowse
                                                                                                                          • 52.43.249.183
                                                                                                                          wzdu53.exeGet hashmaliciousBrowse
                                                                                                                          • 13.249.13.113
                                                                                                                          com.duolingo_1162_apps.evozi.com.apkGet hashmaliciousBrowse
                                                                                                                          • 52.222.174.5
                                                                                                                          AMAZON-02USE1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          crt9O3URua.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          E1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 52.218.105.219
                                                                                                                          DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          lTAPQJikGw.exeGet hashmaliciousBrowse
                                                                                                                          • 99.83.154.118
                                                                                                                          SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                                                                          • 44.227.65.245
                                                                                                                          SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          Letter 1019.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                          • 143.204.98.37
                                                                                                                          Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                          • 75.2.26.18
                                                                                                                          U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                          • 108.128.238.226
                                                                                                                          Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          Docc.htmlGet hashmaliciousBrowse
                                                                                                                          • 13.224.99.74
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.209.246.140
                                                                                                                          Sleek_Free.exeGet hashmaliciousBrowse
                                                                                                                          • 143.204.209.58
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.216.141.230
                                                                                                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                                                                                                          • 15.236.176.210
                                                                                                                          WV Northern Community College.docxGet hashmaliciousBrowse
                                                                                                                          • 52.43.249.183
                                                                                                                          wzdu53.exeGet hashmaliciousBrowse
                                                                                                                          • 13.249.13.113
                                                                                                                          com.duolingo_1162_apps.evozi.com.apkGet hashmaliciousBrowse
                                                                                                                          • 52.222.174.5
                                                                                                                          AMAZON-02USE1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          crt9O3URua.exeGet hashmaliciousBrowse
                                                                                                                          • 35.157.179.180
                                                                                                                          E1a92ARmPw.exeGet hashmaliciousBrowse
                                                                                                                          • 52.218.105.219
                                                                                                                          DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          lTAPQJikGw.exeGet hashmaliciousBrowse
                                                                                                                          • 99.83.154.118
                                                                                                                          SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                                                                          • 44.227.65.245
                                                                                                                          SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                                                                                          • 13.59.53.244
                                                                                                                          Letter 1019.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                          • 143.204.98.37
                                                                                                                          Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                          • 75.2.26.18
                                                                                                                          U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                          • 108.128.238.226
                                                                                                                          Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                                                                          • 18.140.1.169
                                                                                                                          Docc.htmlGet hashmaliciousBrowse
                                                                                                                          • 13.224.99.74
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.209.246.140
                                                                                                                          Sleek_Free.exeGet hashmaliciousBrowse
                                                                                                                          • 143.204.209.58
                                                                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                                                                          • 52.216.141.230
                                                                                                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                                                                                                          • 15.236.176.210
                                                                                                                          WV Northern Community College.docxGet hashmaliciousBrowse
                                                                                                                          • 52.43.249.183
                                                                                                                          wzdu53.exeGet hashmaliciousBrowse
                                                                                                                          • 13.249.13.113
                                                                                                                          com.duolingo_1162_apps.evozi.com.apkGet hashmaliciousBrowse
                                                                                                                          • 52.222.174.5

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Program Files (x86)\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\Google.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Virustotal, Detection: 44%, Browse
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Reputation:low
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\SublimeText.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\SublimeText.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Reputation:low
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Umbrella.flv.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Umbrella.flv.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Reputation:low
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Local\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Reputation:low
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Google.exe.log
                                                                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):525
                                                                                                                          Entropy (8bit):5.2874233355119316
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                                          MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                                          SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                                          SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                                          SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log
                                                                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):525
                                                                                                                          Entropy (8bit):5.2874233355119316
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                                          MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                                          SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                                          SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                                          SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\XQehPgTn35.exe.log
                                                                                                                          Process:C:\Users\user\Desktop\XQehPgTn35.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):525
                                                                                                                          Entropy (8bit):5.2874233355119316
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                                          MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                                          SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                                          SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                                          SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                                          Malicious:true
                                                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\AppData\Roaming\app
                                                                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe
                                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5
                                                                                                                          Entropy (8bit):1.9219280948873623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:yn:yn
                                                                                                                          MD5:24E9E7D7EEA4DE90C8FC67AE1145ABF2
                                                                                                                          SHA1:DD9BB46CCC6340CA892CF17EBE32B9BDBADEE2D1
                                                                                                                          SHA-256:BD6C1D15579254E8879ADA07376F93CB2E959F45670374892FDE2EFAF4194F6C
                                                                                                                          SHA-512:5572AFD61C7BA666515A987F23AD0A05AB753BDC28CFA492ADB30200207427A4A38699D3B7981E0750414775A4CE72A209511951D38A8673C709B08774FCA01F
                                                                                                                          Malicious:false
                                                                                                                          Preview: .11
                                                                                                                          C:\Users\user\Desktop\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:false
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\Documents\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Users\user\Favorites\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:false
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Windows\SysWOW64\Google.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:false
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\Windows\server.exe
                                                                                                                          Process:C:\Users\user\Desktop\XQehPgTn35.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\server.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          C:\autorun.inf
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55
                                                                                                                          Entropy (8bit):4.474554204780528
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:It1KV2PHQCyK0x:e1KAwCyD
                                                                                                                          MD5:40B1630BE21F39CB17BD1963CAE5A207
                                                                                                                          SHA1:63C14BD151D42820DD45C033363FA5B9E1D34124
                                                                                                                          SHA-256:F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
                                                                                                                          SHA-512:833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
                                                                                                                          Malicious:true
                                                                                                                          Preview: [autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..
                                                                                                                          C:\system 32.exe
                                                                                                                          Process:C:\Windows\server.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1143296
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          MD5:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          SHA1:D1441CC336655F36EFC3DB070F84701A1F68E51A
                                                                                                                          SHA-256:6884AC9F82A44A7702C4807DEEC1640B66EB71F6C750DD0CA1D5D78632E626B5
                                                                                                                          SHA-512:AAA673ADB4511D7E4BA5836F6874B047E8C2B31F86E005D46094A47626D23F97D72874307538C451541DBB44905503DF2227902E9F4CCFFA4D9836981ABCD2E6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\system 32.exe, Author: Florian Roth
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................. .)...............................).................................................................................................. ......................@............ ..........................@.............(.........................@....data....@....)..,...F..............@..................................................*FL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          \Device\ConDrv
                                                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):313
                                                                                                                          Entropy (8bit):4.971939296804078
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                                                          MD5:689E2126A85BF55121488295EE068FA1
                                                                                                                          SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                                                          SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                                                          SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                                                          Malicious:false
                                                                                                                          Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.98927615016363
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:XQehPgTn35.exe
                                                                                                                          File size:1143296
                                                                                                                          MD5:595c00bf9ca4baa42b4490f2782cf2d3
                                                                                                                          SHA1:d1441cc336655f36efc3db070f84701a1f68e51a
                                                                                                                          SHA256:6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
                                                                                                                          SHA512:aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6
                                                                                                                          SSDEEP:24576:DPnLbQ9A/PFjHhefsVJ1ff9IS/+AhMrRekPHnu6DNO:DPImPFUQJVIg+WMrwOu6DN
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................p............... ........@.. ........................8...........@................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x4087b0
                                                                                                                          Entrypoint Section:
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                                                          Time Stamp:0x60B61FAE [Tue Jun 1 11:53:18 2021 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:2e5467cba76f44a088d39f78c5e807b6

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          add esp, FFFFFFF0h
                                                                                                                          mov eax, 00401000h
                                                                                                                          call 00007F42888039D6h
                                                                                                                          call far 5DE5h : 8B10C483h
                                                                                                                          jmp 00007F4288B78961h
                                                                                                                          xchg eax, ebx
                                                                                                                          das
                                                                                                                          pop ecx
                                                                                                                          fimul word ptr [ecx]
                                                                                                                          scasd
                                                                                                                          jbe 00007F4288803992h
                                                                                                                          stc
                                                                                                                          outsb
                                                                                                                          mov dl, 89h
                                                                                                                          cmpsd
                                                                                                                          pop es
                                                                                                                          dec ebp
                                                                                                                          les ecx, fword ptr [edi]
                                                                                                                          stosd
                                                                                                                          salc
                                                                                                                          cmp ebx, dword ptr [ecx+23h]
                                                                                                                          salc
                                                                                                                          je 00007F42888039BAh
                                                                                                                          add al, 46h
                                                                                                                          jbe 00007F42888039CEh
                                                                                                                          in eax, 48h
                                                                                                                          imul eax, dword ptr [edx], 58FF3743h
                                                                                                                          dec ecx
                                                                                                                          jnbe 00007F4288803A01h
                                                                                                                          or eax, 5A7F49C4h
                                                                                                                          xchg eax, esi
                                                                                                                          mov ebx, dword ptr [edx]
                                                                                                                          call 00007F429F5EECBFh
                                                                                                                          sub ebx, dword ptr [eax+247EDDBBh]
                                                                                                                          in eax, dx
                                                                                                                          xchg dword ptr [ecx+esi*4+4Fh], ecx
                                                                                                                          lodsd
                                                                                                                          mov bh, 01h
                                                                                                                          xchg dword ptr [edx], ebx
                                                                                                                          push 0D715D85h
                                                                                                                          outsb
                                                                                                                          mov ch, 85h
                                                                                                                          loop 00007F4288803A38h
                                                                                                                          cwde
                                                                                                                          aad F9h

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x29c0200x210.data
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x29c0000xc.data
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          0x20000x180000x8600False0.989884561567data7.97927562362IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                          0x1a0000x20000x200False0.0546875data0.305313057312IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                          0x1c0000x2800000x2ba00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x29c0000xe40000xe2c00False0.997420238423data7.9850157277IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                                          user32.dllMessageBoxA
                                                                                                                          advapi32.dllRegCloseKey
                                                                                                                          oleaut32.dllSysFreeString
                                                                                                                          gdi32.dllCreateFontA
                                                                                                                          shell32.dllShellExecuteA
                                                                                                                          version.dllGetFileVersionInfoA
                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                          Network Behavior

                                                                                                                          Snort IDS Alerts

                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                          06/11/21-05:38:32.480901TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4972715409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:38:35.122490TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4972915409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:38:37.883521TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973015409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:40.816135TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973115409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:43.655370TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973215409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:46.534439TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973315409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:49.820340TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973415409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:52.550734TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973515409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:38:55.325429TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973615409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:38:58.026524TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973715409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:01.781328TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973815409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:04.485435TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4973915409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:08.299471TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974015409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:10.989140TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974115409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:13.686687TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974215409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:16.472819TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974315409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:19.192478TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974415409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:21.879780TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974515409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:26.277451TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974615409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:28.697781TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974715409192.168.2.33.129.187.220
                                                                                                                          06/11/21-05:39:31.432722TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974815409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:34.209617TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4974915409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:36.900868TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975015409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:39.620373TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975115409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:43.395380TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975215409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:46.772436TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975315409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:49.556360TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975415409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:52.263322TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975515409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:39:54.965375TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975615409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:39:57.721057TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975715409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:40:00.642878TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975815409192.168.2.33.136.65.236
                                                                                                                          06/11/21-05:40:03.342398TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4975915409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:40:06.076276TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4976015409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:40:08.799968TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4976115409192.168.2.33.138.180.119
                                                                                                                          06/11/21-05:40:11.612120TCP2021176ET TROJAN Bladabindi/njRAT CnC Command (ll)4976215409192.168.2.33.138.180.119

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jun 11, 2021 05:38:28.263359070 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:28.404962063 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:28.405138016 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:28.994911909 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:29.109426975 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:32.480901003 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:32.623845100 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:32.624118090 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:32.764477015 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:33.060138941 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:33.071002007 CEST15409497273.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:33.071343899 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:34.743252993 CEST4972715409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:34.982126951 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:35.121546984 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.121665955 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:35.122489929 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:35.262887955 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.263066053 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:35.403242111 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.584269047 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.656944036 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:35.665175915 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.668739080 CEST15409497293.138.180.119192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:35.668905973 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:37.594604015 CEST4972915409192.168.2.33.138.180.119
                                                                                                                          Jun 11, 2021 05:38:37.742187023 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:37.882061005 CEST15409497303.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:37.882210016 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:37.883521080 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:38.025667906 CEST15409497303.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:38.025789976 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:38.165572882 CEST15409497303.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:38.476670027 CEST15409497303.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:38.476713896 CEST15409497303.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:38.476943016 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:40.534037113 CEST4973015409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:40.671755075 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:40.813503981 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:40.813718081 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:40.816134930 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:40.956271887 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:40.956549883 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:41.096815109 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:41.281196117 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:41.344819069 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:41.352886915 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:41.353302956 CEST15409497313.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:41.353425980 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.291449070 CEST4973115409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.505050898 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.645172119 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:43.645334005 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.655369997 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.798135042 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:43.798265934 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:43.938019991 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:44.116847038 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:44.196537018 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:44.196671963 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:44.201392889 CEST15409497323.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:44.201508999 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.206796885 CEST4973215409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.322411060 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.466084003 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:46.466279030 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.534439087 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.674432039 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:46.674643993 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:46.814506054 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:46.977404118 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:47.048439026 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:47.071618080 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:47.078805923 CEST15409497333.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:47.078957081 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:49.130012989 CEST4973315409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:49.664273977 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:49.809375048 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:49.809490919 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:49.820339918 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:49.963341951 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:49.963480949 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:50.103955984 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:50.235722065 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:50.297827005 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:50.345540047 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:50.362777948 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:50.366107941 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:50.366185904 CEST4973415409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:50.507401943 CEST15409497343.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:52.409234047 CEST4973515409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:52.549846888 CEST15409497353.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:52.549998045 CEST4973515409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:52.550734043 CEST4973515409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:52.696180105 CEST15409497353.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:52.696350098 CEST4973515409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:52.839436054 CEST15409497353.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:53.028906107 CEST15409497353.129.187.220192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:53.142692089 CEST4973515409192.168.2.33.129.187.220
                                                                                                                          Jun 11, 2021 05:38:53.197839975 CEST15409497353.129.187.220192.168.2.3

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jun 11, 2021 05:37:48.970566988 CEST6015253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:49.033849001 CEST53601528.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:49.378783941 CEST5754453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:49.442737103 CEST53575448.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:50.145737886 CEST5598453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:50.204411983 CEST53559848.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:51.442954063 CEST6418553192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:51.495007992 CEST53641858.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:52.702096939 CEST6511053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:52.764108896 CEST53651108.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:53.692610025 CEST5836153192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:53.744622946 CEST53583618.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:54.623907089 CEST6349253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:54.686862946 CEST53634928.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:55.696166039 CEST6083153192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:55.749423981 CEST53608318.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:57.883934021 CEST6010053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:57.939203024 CEST53601008.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:58.812541962 CEST5319553192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:37:58.863327980 CEST53531958.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:37:59.996539116 CEST5014153192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:00.055717945 CEST53501418.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:01.384387016 CEST5302353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:01.443344116 CEST53530238.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:02.852978945 CEST4956353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:02.913965940 CEST53495638.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:03.809122086 CEST5135253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:03.860022068 CEST53513528.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:04.636384010 CEST5934953192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:04.686847925 CEST53593498.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:05.487831116 CEST5708453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:05.538418055 CEST53570848.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:06.414119005 CEST5882353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:06.464705944 CEST53588238.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:07.609879017 CEST5756853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:07.670522928 CEST53575688.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:08.449652910 CEST5054053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:08.513906956 CEST53505408.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:28.096605062 CEST5436653192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:28.160732031 CEST53543668.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:28.208518982 CEST5303453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:28.271539927 CEST53530348.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:34.836051941 CEST5776253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:34.896231890 CEST53577628.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:37.599096060 CEST5543553192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:37.659429073 CEST53554358.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:40.598186016 CEST5071353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:40.660141945 CEST53507138.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:43.438324928 CEST5613253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:43.497728109 CEST53561328.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:46.221971035 CEST5898753192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:46.285773993 CEST53589878.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:49.135191917 CEST5657953192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:49.196597099 CEST53565798.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:52.318876028 CEST6063353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:52.380361080 CEST53606338.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:55.058105946 CEST6129253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:55.119384050 CEST53612928.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:38:57.808234930 CEST6361953192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:38:57.862252951 CEST53636198.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:01.317874908 CEST6493853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:01.382457972 CEST53649388.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:04.265638113 CEST6194653192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:04.324976921 CEST53619468.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:07.983109951 CEST6491053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:08.038408041 CEST53649108.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:10.783400059 CEST5212353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:10.845694065 CEST53521238.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:13.477179050 CEST5613053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:13.538152933 CEST53561308.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:16.255187035 CEST5633853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:16.316384077 CEST53563388.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:18.974092960 CEST5942053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:19.033886909 CEST53594208.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:21.679620981 CEST5878453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:21.730010986 CEST53587848.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:24.601767063 CEST6397853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:24.661842108 CEST53639788.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:28.487149000 CEST6293853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:28.546643972 CEST53629388.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:31.214534998 CEST5570853192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:31.275702953 CEST53557088.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:33.976038933 CEST5680353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:34.036474943 CEST53568038.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:36.682391882 CEST5714553192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:36.741065979 CEST53571458.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:39.395881891 CEST5535953192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:39.457341909 CEST53553598.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:42.354665995 CEST5830653192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:42.414808989 CEST53583068.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:46.567203999 CEST6412453192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:46.626611948 CEST53641248.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:49.323838949 CEST4936153192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:49.382500887 CEST53493618.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:52.042948008 CEST6315053192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:52.093952894 CEST53631508.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:54.735972881 CEST5327953192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:54.798815012 CEST53532798.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:39:57.523766994 CEST5688153192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:39:57.577550888 CEST53568818.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:40:00.395754099 CEST5364253192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:40:00.449871063 CEST53536428.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:40:03.119240046 CEST5566753192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:40:03.181199074 CEST53556678.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:40:05.865139008 CEST5483353192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:40:05.927911043 CEST53548338.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:40:08.588099957 CEST6247653192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:40:08.651952982 CEST53624768.8.8.8192.168.2.3
                                                                                                                          Jun 11, 2021 05:40:11.383903980 CEST4970553192.168.2.38.8.8.8
                                                                                                                          Jun 11, 2021 05:40:11.447014093 CEST53497058.8.8.8192.168.2.3

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                          Jun 11, 2021 05:38:28.096605062 CEST192.168.2.38.8.8.80xf277Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:34.836051941 CEST192.168.2.38.8.8.80xb8e8Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:37.599096060 CEST192.168.2.38.8.8.80xee6Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:40.598186016 CEST192.168.2.38.8.8.80x32c4Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:43.438324928 CEST192.168.2.38.8.8.80x38f4Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:46.221971035 CEST192.168.2.38.8.8.80xe038Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:49.135191917 CEST192.168.2.38.8.8.80xd1a8Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:52.318876028 CEST192.168.2.38.8.8.80xf5b5Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:55.058105946 CEST192.168.2.38.8.8.80x8c7dStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:57.808234930 CEST192.168.2.38.8.8.80x921bStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:01.317874908 CEST192.168.2.38.8.8.80xb963Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:04.265638113 CEST192.168.2.38.8.8.80x118bStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:07.983109951 CEST192.168.2.38.8.8.80xfb61Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:10.783400059 CEST192.168.2.38.8.8.80xf912Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:13.477179050 CEST192.168.2.38.8.8.80xfec0Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:16.255187035 CEST192.168.2.38.8.8.80x4d5aStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:18.974092960 CEST192.168.2.38.8.8.80xbd57Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:21.679620981 CEST192.168.2.38.8.8.80x8ed1Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:24.601767063 CEST192.168.2.38.8.8.80x8f77Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:28.487149000 CEST192.168.2.38.8.8.80x847cStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:31.214534998 CEST192.168.2.38.8.8.80xbb5fStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:33.976038933 CEST192.168.2.38.8.8.80x53caStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:36.682391882 CEST192.168.2.38.8.8.80x91f6Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:39.395881891 CEST192.168.2.38.8.8.80x87b1Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:42.354665995 CEST192.168.2.38.8.8.80x6ebaStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:46.567203999 CEST192.168.2.38.8.8.80x9a26Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:49.323838949 CEST192.168.2.38.8.8.80x5276Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:52.042948008 CEST192.168.2.38.8.8.80xd7a2Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:54.735972881 CEST192.168.2.38.8.8.80x6e44Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:57.523766994 CEST192.168.2.38.8.8.80xafacStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:00.395754099 CEST192.168.2.38.8.8.80x659cStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:03.119240046 CEST192.168.2.38.8.8.80x7d9eStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:05.865139008 CEST192.168.2.38.8.8.80xacb3Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:08.588099957 CEST192.168.2.38.8.8.80x593eStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:11.383903980 CEST192.168.2.38.8.8.80xc299Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                          Jun 11, 2021 05:38:28.160732031 CEST8.8.8.8192.168.2.30xf277No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:34.896231890 CEST8.8.8.8192.168.2.30xb8e8No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:37.659429073 CEST8.8.8.8192.168.2.30xee6No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:40.660141945 CEST8.8.8.8192.168.2.30x32c4No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:43.497728109 CEST8.8.8.8192.168.2.30x38f4No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:46.285773993 CEST8.8.8.8192.168.2.30xe038No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:49.196597099 CEST8.8.8.8192.168.2.30xd1a8No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:52.380361080 CEST8.8.8.8192.168.2.30xf5b5No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:55.119384050 CEST8.8.8.8192.168.2.30x8c7dNo error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:38:57.862252951 CEST8.8.8.8192.168.2.30x921bNo error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:01.382457972 CEST8.8.8.8192.168.2.30xb963No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:04.324976921 CEST8.8.8.8192.168.2.30x118bNo error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:08.038408041 CEST8.8.8.8192.168.2.30xfb61No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:10.845694065 CEST8.8.8.8192.168.2.30xf912No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:13.538152933 CEST8.8.8.8192.168.2.30xfec0No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:16.316384077 CEST8.8.8.8192.168.2.30x4d5aNo error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:19.033886909 CEST8.8.8.8192.168.2.30xbd57No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:21.730010986 CEST8.8.8.8192.168.2.30x8ed1No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:24.661842108 CEST8.8.8.8192.168.2.30x8f77No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:28.546643972 CEST8.8.8.8192.168.2.30x847cNo error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:31.275702953 CEST8.8.8.8192.168.2.30xbb5fNo error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:34.036474943 CEST8.8.8.8192.168.2.30x53caNo error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:36.741065979 CEST8.8.8.8192.168.2.30x91f6No error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:39.457341909 CEST8.8.8.8192.168.2.30x87b1No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:42.414808989 CEST8.8.8.8192.168.2.30x6ebaNo error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:46.626611948 CEST8.8.8.8192.168.2.30x9a26No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:49.382500887 CEST8.8.8.8192.168.2.30x5276No error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:52.093952894 CEST8.8.8.8192.168.2.30xd7a2No error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:54.798815012 CEST8.8.8.8192.168.2.30x6e44No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:39:57.577550888 CEST8.8.8.8192.168.2.30xafacNo error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:00.449871063 CEST8.8.8.8192.168.2.30x659cNo error (0)4.tcp.ngrok.io3.136.65.236A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:03.181199074 CEST8.8.8.8192.168.2.30x7d9eNo error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:05.927911043 CEST8.8.8.8192.168.2.30xacb3No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:08.651952982 CEST8.8.8.8192.168.2.30x593eNo error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)
                                                                                                                          Jun 11, 2021 05:40:11.447014093 CEST8.8.8.8192.168.2.30xc299No error (0)4.tcp.ngrok.io3.138.180.119A (IP address)IN (0x0001)

                                                                                                                          Code Manipulations

                                                                                                                          Statistics

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          Analysis Process: XQehPgTn35.exe PID: 6468 Parent PID: 5836

                                                                                                                          General

                                                                                                                          Start time:05:37:55
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Users\user\Desktop\XQehPgTn35.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:'C:\Users\user\Desktop\XQehPgTn35.exe'
                                                                                                                          Imagebase:0xae0000
                                                                                                                          File size:1143296 bytes
                                                                                                                          MD5 hash:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                          Reputation:low

                                                                                                                          Analysis Process: server.exe PID: 6616 Parent PID: 6468

                                                                                                                          General

                                                                                                                          Start time:05:37:57
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\server.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:'C:\Windows\server.exe'
                                                                                                                          Imagebase:0x9c0000
                                                                                                                          File size:1143296 bytes
                                                                                                                          MD5 hash:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\server.exe, Author: Florian Roth
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          Reputation:low

                                                                                                                          Analysis Process: netsh.exe PID: 6700 Parent PID: 6616

                                                                                                                          General

                                                                                                                          Start time:05:38:00
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
                                                                                                                          Imagebase:0xd90000
                                                                                                                          File size:82944 bytes
                                                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: conhost.exe PID: 6708 Parent PID: 6700

                                                                                                                          General

                                                                                                                          Start time:05:38:00
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                          File size:625664 bytes
                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: netsh.exe PID: 3544 Parent PID: 6616

                                                                                                                          General

                                                                                                                          Start time:05:38:17
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:netsh firewall delete allowedprogram 'C:\Windows\server.exe'
                                                                                                                          Imagebase:0xd90000
                                                                                                                          File size:82944 bytes
                                                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: conhost.exe PID: 6136 Parent PID: 3544

                                                                                                                          General

                                                                                                                          Start time:05:38:18
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                          File size:625664 bytes
                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: netsh.exe PID: 5700 Parent PID: 6616

                                                                                                                          General

                                                                                                                          Start time:05:38:18
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE
                                                                                                                          Imagebase:0xd90000
                                                                                                                          File size:82944 bytes
                                                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: conhost.exe PID: 1740 Parent PID: 5700

                                                                                                                          General

                                                                                                                          Start time:05:38:19
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                          File size:625664 bytes
                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Analysis Process: Microsoft Corporation.exe PID: 5900 Parent PID: 3388

                                                                                                                          General

                                                                                                                          Start time:05:38:21
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe'
                                                                                                                          Imagebase:0xda0000
                                                                                                                          File size:1143296 bytes
                                                                                                                          MD5 hash:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                          • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 43%, Metadefender, Browse
                                                                                                                          • Detection: 62%, ReversingLabs
                                                                                                                          Reputation:low

                                                                                                                          Analysis Process: Google.exe PID: 6716 Parent PID: 3388

                                                                                                                          General

                                                                                                                          Start time:05:38:34
                                                                                                                          Start date:11/06/2021
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe'
                                                                                                                          Imagebase:0x1310000
                                                                                                                          File size:1143296 bytes
                                                                                                                          MD5 hash:595C00BF9CA4BAA42B4490F2782CF2D3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 43%, Metadefender, Browse
                                                                                                                          • Detection: 62%, ReversingLabs
                                                                                                                          Reputation:low

                                                                                                                          Disassembly

                                                                                                                          Code Analysis

                                                                                                                          Reset < >