Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236

Overview

General Information

Sample Name: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236 (renamed file extension from 13236 to msi)
Analysis ID: 562521
MD5: 1d59589778c525aadcb645270cee737c
SHA1: ad4584c1b7734854939c59674cbbf22a99618285
SHA256: 1f95063441e9d231e0e2b15365a8722c5136c2a6fe2716f3653c260093026354
Tags: msinjrat
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Njrat
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Cabinet File Expansion
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi Virustotal: Detection: 8% Perma Link
Yara detected Njrat
Source: Yara match File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp Virustotal: Detection: 15% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy) Virustotal: Detection: 15% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.3.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.4.unpack Avira: Label: TR/ATRAPS.Gen

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8} Jump to behavior
Source: Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp

Spreading
barindex
May infect USB drives
Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: njlove.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS
Source: unknown DNS traffic detected: queries for: njlove.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: server.exe, 0000000B.00000002.716814871.000000000168B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/JmGPzoRLJm.cs Large array initialization: cSPokfGgp3: array initializer size 624144
Yara signature match
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI3B77.tmp Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6537be.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_00F4AD45 11_2_00F4AD45
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_01661008 11_2_01661008
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_0166847A 11_2_0166847A
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_0166BA98 11_2_0166BA98
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_01664D69 11_2_01664D69
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_01661DE0 11_2_01661DE0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_01669E80 11_2_01669E80
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_016672E8 11_2_016672E8
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_01665AC0 11_2_01665AC0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_0166BA8E 11_2_0166BA8E
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B92FA8 11_2_06B92FA8
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B98F00 11_2_06B98F00
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96A20 11_2_06B96A20
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91257 11_2_06B91257
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B97BDB 11_2_06B97BDB
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B93B10 11_2_06B93B10
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B94050 11_2_06B94050
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91EB0 11_2_06B91EB0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B98EF0 11_2_06B98EF0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91EC0 11_2_06B91EC0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B92F98 11_2_06B92F98
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B94760 11_2_06B94760
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B99C18 11_2_06B99C18
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B99C08 11_2_06B99C08
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B90448 11_2_06B90448
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B90446 11_2_06B90446
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91298 11_2_06B91298
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91288 11_2_06B91288
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B93AD9 11_2_06B93AD9
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B94B83 11_2_06B94B83
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B93B0E 11_2_06B93B0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B5E288 15_2_02B5E288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B56FD8 15_2_02B56FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B5D520 15_2_02B5D520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B54B80 15_2_02B54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B58930 15_2_02B58930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B56E60 15_2_02B56E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B578E6 15_2_02B578E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_051D44D4 15_2_051D44D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_051D9680 15_2_051D9680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_051D486F 15_2_051D486F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_051D4880 15_2_051D4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 30_2_013A08E2 30_2_013A08E2
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Terminal.ServiceHub.dllT vs SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msdtc.exe Section loaded: comres.dll Jump to behavior
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcvsp1res.dll Jump to behavior
Source: C:\Windows\System32\msdtc.exe Section loaded: oci.dll Jump to behavior
Source: cfa11b188d32074992aa4060114f8638.tmp.9.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi Virustotal: Detection: 8%
Source: C:\Windows\SysWOW64\icacls.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF6CC46065D10C7A25.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winMSI@36/35@1/1
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\040b20e882d013c0c9f6ceff16d97f7aIG1pY3Jvc29mdA==
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2092:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01
Source: C:\Windows\SysWOW64\msiexec.exe File written: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8} Jump to behavior
Source: Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_0166F67E push esi; ret 11_2_0166F681
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B99478 pushfd ; retf 11_2_06B99479
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B93AD9 push 2806B870h; iretd 11_2_06B93B0D
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B99A08 pushfd ; iretd 11_2_06B99A09
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B91247 pushad ; iretd 11_2_06B91256
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B938D7 push es; retf 0006h 11_2_06B938F2
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B99864 push eax; iretd 11_2_06B99865
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96997 push ebx; retf 0006h 11_2_06B969A2
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96987 push ebx; retf 0006h 11_2_06B96992
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B9110B push eax; retf 11_2_06B91121
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96977 push edx; retf 0006h 11_2_06B96982
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96967 push ecx; retf 0006h 11_2_06B96972
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96958 push ecx; retf 0006h 11_2_06B96962
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Code function: 11_2_06B96947 push eax; retf 0006h 11_2_06B96952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02B5B182 pushad ; ret 15_2_02B5B189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 24_3_05710938 push A400005Eh; ret 24_3_05710951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_3_04FD0938 push A400005Eh; ret 28_3_04FD0951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 30_3_05350938 push A400005Eh; ret 30_3_05350951
Binary contains a suspicious time stamp
Source: cfa11b188d32074992aa4060114f8638.tmp.9.dr Static PE information: 0x8E2962A1 [Mon Jul 31 01:21:37 2045 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.96550305867
Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/ZhZRcmjltN.cs High entropy of concatenated method names: '.ctor', 'PsGSqzcXOd', 'fD6NyRKtch', 'OhvftqmFHr', '0OflgCiW4k', 'fdwXuqxXi1', 'heSDchQ2ge', '5WrS1oqVlc', 'aJUGSZPbYK', 'lkhlKabjuS'

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBF62.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIAA7F.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B77.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBF62.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIAA7F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B77.tmp Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a Jump to behavior
Creates autostart registry keys with suspicious names
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLD
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe TID: 7020 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 4100 Thread sleep count: 437 > 30 Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 4100 Thread sleep time: -43700s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 4728 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1801 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2100 Jump to behavior
Source: C:\Windows\System32\msdtc.exe Window / User API: threadDelayed 437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 444
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVBoxARun using valid operating systemUSER
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: RegSvcs.exe, 00000018.00000002.781891461.00000000013E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys

Anti Debugging
barindex
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B52008 Jump to behavior
.NET source code references suspicious native API functions
Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/u0038IilAeO74h.cs Reference to suspicious API methods: ('UZTDQyKcgA', 'LoadLibrary@kernel32.dll'), ('7B0eHJViyQ', 'GetProcAddress@kernel32.dll'), ('2Nu1KEnGfG', 'VirtualProtect@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 0000000F.00000002.927336113.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerX
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager6l
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
Modifies the windows firewall
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562521 Sample: SecuriteInfo.com.MSIL.Krypt... Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 9 other signatures 2->77 10 msiexec.exe 82 30 2->10         started        13 RegSvcs.exe 4 2->13         started        15 RegSvcs.exe 3 2->15         started        17 3 other processes 2->17 process3 file4 59 C:\Windows\Installer\MSIBF62.tmp, PE32 10->59 dropped 61 C:\Windows\Installer\MSIAA7F.tmp, PE32 10->61 dropped 63 C:\Windows\Installer\MSI3B77.tmp, PE32 10->63 dropped 19 msiexec.exe 5 10->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process5 process6 27 server.exe 1 19->27         started        30 expand.exe 4 19->30         started        33 icacls.exe 1 19->33         started        35 2 other processes 19->35 file7 87 Writes to foreign memory regions 27->87 89 Allocates memory in foreign processes 27->89 91 Injects a PE file into a foreign processes 27->91 37 RegSvcs.exe 7 2 27->37         started        41 AddInProcess.exe 27->41         started        43 InstallUtil.exe 27->43         started        45 AddInProcess.exe 27->45         started        65 C:\Users\user\AppData\...\server.exe (copy), PE32 30->65 dropped 67 C:\...\cfa11b188d32074992aa4060114f8638.tmp, PE32 30->67 dropped 47 conhost.exe 30->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        signatures8 process9 dnsIp10 69 njlove.duckdns.org 66.154.111.162, 1900, 49775 TOTAL-SERVER-SOLUTIONSUS Canada 37->69 79 Creates autostart registry keys with suspicious names 37->79 81 Creates an autostart registry key pointing to binary in C:\Windows 37->81 83 Uses netsh to modify the Windows network and firewall settings 37->83 85 Modifies the windows firewall 37->85 55 netsh.exe 2 3 37->55         started        signatures11 process12 process13 57 conhost.exe 55->57         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.154.111.162
 njlove.duckdns.org Canada
46562 TOTAL-SERVER-SOLUTIONSUS true

Contacted Domains

Name IP Active
njlove.duckdns.org 66.154.111.162 true