Edit tour

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236

Overview

General Information

Sample Name:	SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236 (renamed file extension from 13236 to msi)
Analysis ID:	562521
MD5:	1d59589778c525aadcb645270cee737c
SHA1:	ad4584c1b7734854939c59674cbbf22a99618285
SHA256:	1f95063441e9d231e0e2b15365a8722c5136c2a6fe2716f3653c260093026354
Tags:	msinjrat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Njrat

Multi AV Scanner detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Creates autostart registry keys with suspicious names

Modifies the windows firewall

Uses dynamic DNS services

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

May infect USB drives

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Cabinet File Expansion

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses cacls to modify the permissions of files

Drops PE files to the windows directory (C:\Windows)

Binary contains a suspicious time stamp

Sigma detected: Netsh Port or Application Allowed

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6712 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6128 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6992 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

icacls.exe (PID: 5596 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

expand.exe (PID: 4552 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

server.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" MD5: CD4D919B4FC88C9D6F03C864A181E40F)

AddInProcess.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)

InstallUtil.exe (PID: 6304 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

AddInProcess.exe (PID: 7104 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)

RegSvcs.exe (PID: 7148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

netsh.exe (PID: 6520 cmdline: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 2092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5164 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5568 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 3848 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

msdtc.exe (PID: 6320 cmdline: C:\Windows\System32\msdtc.exe MD5: 9A94F32C1DC90A7E5A35D0F820A8FB1D)

RegSvcs.exe (PID: 6972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6dbd:$a1: netsh firewall add allowedprogram 0x6d8d:$a2: SEE_MASK_NOZONECHECKS 0x6fad:$b1: [TAP] 0x6ea9:$c3: cmd.exe /c ping
0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6d8d:$reg: SEE_MASK_NOZONECHECKS 0x6a7c:$msg: Execute ERROR 0x6ad4:$msg: Execute ERROR 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6dbd:$a1: netsh firewall add allowedprogram 0x6d8d:$a2: SEE_MASK_NOZONECHECKS 0x6fad:$b1: [TAP] 0x6ea9:$c3: cmd.exe /c ping
0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6d8d:$reg: SEE_MASK_NOZONECHECKS 0x6a7c:$msg: Execute ERROR 0x6ad4:$msg: Execute ERROR 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6dbd:$a1: netsh firewall add allowedprogram 0x6d8d:$a2: SEE_MASK_NOZONECHECKS 0x6fad:$b1: [TAP] 0x6ea9:$c3: cmd.exe /c ping
0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6d8d:$reg: SEE_MASK_NOZONECHECKS 0x6a7c:$msg: Execute ERROR 0x6ad4:$msg: Execute ERROR 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x805d:$a1: netsh firewall add allowedprogram 0x802d:$a2: SEE_MASK_NOZONECHECKS 0x824d:$b1: [TAP] 0x8149:$c3: cmd.exe /c ping
0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x802d:$reg: SEE_MASK_NOZONECHECKS 0x7d1c:$msg: Execute ERROR 0x7d74:$msg: Execute ERROR 0x8149:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6dbd:$a1: netsh firewall add allowedprogram 0x6d8d:$a2: SEE_MASK_NOZONECHECKS 0x6fad:$b1: [TAP] 0x6ea9:$c3: cmd.exe /c ping
0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6d8d:$reg: SEE_MASK_NOZONECHECKS 0x6a7c:$msg: Execute ERROR 0x6ad4:$msg: Execute ERROR 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9354e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x935aa:$e2: Add-MpPreference -ExclusionPath
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x94b3f:$s1: c:\windows\system32\cmstp.exe 0x948db:$s2: taskkill /IM cmstp.exe /F 0x94797:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x949cd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9331c:$r1: Classes\Folder\shell\open\command 0x93360:$k1: DelegateExecute 0x9321c:$s1: /EXEFilename "{0} 0x93242:$s2: /WindowState "" 0x94c42:$s2: /WindowState "" 0x9326c:$s3: /PriorityClass ""32"" /CommandLine " 0x94c68:$s3: /PriorityClass ""32"" /CommandLine " 0x932b8:$s4: /StartDirectory " 0x94cb4:$s4: /StartDirectory " 0x932de:$s5: /RunAs 0x94cda:$s5: /RunAs
0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x93834:$s1: This file can't run into Virtual Machines 0x93730:$s4: Run without emulation 0x9390a:$s5: Run using valid operating system 0x93600:$v1: SbieDll.dll 0x9339b:$v2: USER 0x9394c:$v2: USER 0x93956:$v3: SANDBOX 0x93966:$v4: VIRUS 0x939ae:$v4: VIRUS 0x93972:$v5: MALWARE 0x93982:$v6: SCHMIDTI 0x93994:$v7: CURRENTUSER
0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6dbd:$a1: netsh firewall add allowedprogram 0x6d8d:$a2: SEE_MASK_NOZONECHECKS 0x6fad:$b1: [TAP] 0x6ea9:$c3: cmd.exe /c ping
0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6d8d:$reg: SEE_MASK_NOZONECHECKS 0x6a7c:$msg: Execute ERROR 0x6ad4:$msg: Execute ERROR 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2f71d:$a1: netsh firewall add allowedprogram 0x2f6ed:$a2: SEE_MASK_NOZONECHECKS 0x2f90d:$b1: [TAP] 0x2f809:$c3: cmd.exe /c ping
0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f6ed:$reg: SEE_MASK_NOZONECHECKS 0x2f3dc:$msg: Execute ERROR 0x2f434:$msg: Execute ERROR 0x2f809:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: server.exe PID: 7028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: server.exe PID: 7028	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: server.exe PID: 7028	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RegSvcs.exe PID: 7148	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.RegSvcs.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.0.RegSvcs.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.0.RegSvcs.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
15.0.RegSvcs.exe.400000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.0.RegSvcs.exe.400000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.0.RegSvcs.exe.400000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.0.RegSvcs.exe.400000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
15.0.RegSvcs.exe.400000.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.0.RegSvcs.exe.400000.2.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.0.RegSvcs.exe.400000.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.0.RegSvcs.exe.400000.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.server.exe.5720000.12.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.5720000.12.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.5720000.12.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9354e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x935aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.5720000.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x94b3f:$s1: c:\windows\system32\cmstp.exe 0x948db:$s2: taskkill /IM cmstp.exe /F 0x94797:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x949cd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.5720000.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9331c:$r1: Classes\Folder\shell\open\command 0x93360:$k1: DelegateExecute 0x9321c:$s1: /EXEFilename "{0} 0x93242:$s2: /WindowState "" 0x94c42:$s2: /WindowState "" 0x9326c:$s3: /PriorityClass ""32"" /CommandLine " 0x94c68:$s3: /PriorityClass ""32"" /CommandLine " 0x932b8:$s4: /StartDirectory " 0x94cb4:$s4: /StartDirectory " 0x932de:$s5: /RunAs 0x94cda:$s5: /RunAs
11.2.server.exe.5720000.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x93834:$s1: This file can't run into Virtual Machines 0x93730:$s4: Run without emulation 0x9390a:$s5: Run using valid operating system 0x93600:$v1: SbieDll.dll 0x9339b:$v2: USER 0x9394c:$v2: USER 0x93956:$v3: SANDBOX 0x93966:$v4: VIRUS 0x939ae:$v4: VIRUS 0x93972:$v5: MALWARE 0x93982:$v6: SCHMIDTI 0x93994:$v7: CURRENTUSER
11.2.server.exe.440db60.5.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.440db60.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.440db60.5.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9354e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x12bb7e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x935aa:$e2: Add-MpPreference -ExclusionPath 0x12bbda:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.440db60.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x94b3f:$s1: c:\windows\system32\cmstp.exe 0x12d16f:$s1: c:\windows\system32\cmstp.exe 0x948db:$s2: taskkill /IM cmstp.exe /F 0x12cf0b:$s2: taskkill /IM cmstp.exe /F 0x94797:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x12cdc7:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x949cd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0x12cffd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.440db60.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9331c:$r1: Classes\Folder\shell\open\command 0x12b94c:$r1: Classes\Folder\shell\open\command 0x93360:$k1: DelegateExecute 0x12b990:$k1: DelegateExecute 0x9321c:$s1: /EXEFilename "{0} 0x12b84c:$s1: /EXEFilename "{0} 0x93242:$s2: /WindowState "" 0x94c42:$s2: /WindowState "" 0x12b872:$s2: /WindowState "" 0x12d272:$s2: /WindowState "" 0x9326c:$s3: /PriorityClass ""32"" /CommandLine " 0x94c68:$s3: /PriorityClass ""32"" /CommandLine " 0x12b89c:$s3: /PriorityClass ""32"" /CommandLine " 0x12d298:$s3: /PriorityClass ""32"" /CommandLine " 0x932b8:$s4: /StartDirectory " 0x94cb4:$s4: /StartDirectory " 0x12b8e8:$s4: /StartDirectory " 0x12d2e4:$s4: /StartDirectory " 0x932de:$s5: /RunAs 0x94cda:$s5: /RunAs 0x12b90e:$s5: /RunAs
11.2.server.exe.440db60.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x93834:$s1: This file can't run into Virtual Machines 0x12be64:$s1: This file can't run into Virtual Machines 0x93730:$s4: Run without emulation 0x12bd60:$s4: Run without emulation 0x9390a:$s5: Run using valid operating system 0x12bf3a:$s5: Run using valid operating system 0x93600:$v1: SbieDll.dll 0x12bc30:$v1: SbieDll.dll 0x9339b:$v2: USER 0x9394c:$v2: USER 0x12b9cb:$v2: USER 0x12bf7c:$v2: USER 0x93956:$v3: SANDBOX 0x12bf86:$v3: SANDBOX 0x93966:$v4: VIRUS 0x939ae:$v4: VIRUS 0x12bf96:$v4: VIRUS 0x12bfde:$v4: VIRUS 0x93972:$v5: MALWARE 0x12bfa2:$v5: MALWARE 0x93982:$v6: SCHMIDTI
15.0.RegSvcs.exe.400000.4.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.0.RegSvcs.exe.400000.4.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.0.RegSvcs.exe.400000.4.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.0.RegSvcs.exe.400000.4.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
15.2.RegSvcs.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.2.RegSvcs.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.2.RegSvcs.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.server.exe.3399760.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x52a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4eba:$s3: Executed As 0x4e98:$s6: Download ERROR
11.2.server.exe.3399760.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.2.server.exe.3399760.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x5249:$s1: netsh firewall delete allowedprogram 0x51bd:$s2: netsh firewall add allowedprogram 0x52a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e7c:$s4: Execute ERROR 0x4ed4:$s4: Execute ERROR 0x4e98:$s5: Download ERROR
11.2.server.exe.3399760.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x51bd:$a1: netsh firewall add allowedprogram 0x518d:$a2: SEE_MASK_NOZONECHECKS 0x53ad:$b1: [TAP] 0x52a9:$c3: cmd.exe /c ping
11.2.server.exe.3399760.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x518d:$reg: SEE_MASK_NOZONECHECKS 0x4e7c:$msg: Execute ERROR 0x4ed4:$msg: Execute ERROR 0x52a9:$ping: cmd.exe /c ping 0 -n 2 & del
15.0.RegSvcs.exe.400000.3.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6cba:$s3: Executed As 0x6c98:$s6: Download ERROR
15.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.0.RegSvcs.exe.400000.3.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
15.0.RegSvcs.exe.400000.3.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
15.0.RegSvcs.exe.400000.3.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.server.exe.5720000.12.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.5720000.12.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.5720000.12.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9174e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x917aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.5720000.12.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x92d3f:$s1: c:\windows\system32\cmstp.exe 0x92adb:$s2: taskkill /IM cmstp.exe /F 0x92997:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x92bcd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.5720000.12.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9151c:$r1: Classes\Folder\shell\open\command 0x91560:$k1: DelegateExecute 0x9141c:$s1: /EXEFilename "{0} 0x91442:$s2: /WindowState "" 0x92e42:$s2: /WindowState "" 0x9146c:$s3: /PriorityClass ""32"" /CommandLine " 0x92e68:$s3: /PriorityClass ""32"" /CommandLine " 0x914b8:$s4: /StartDirectory " 0x92eb4:$s4: /StartDirectory " 0x914de:$s5: /RunAs 0x92eda:$s5: /RunAs
11.2.server.exe.5720000.12.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x91a34:$s1: This file can't run into Virtual Machines 0x91930:$s4: Run without emulation 0x91b0a:$s5: Run using valid operating system 0x91800:$v1: SbieDll.dll 0x9159b:$v2: USER 0x91b4c:$v2: USER 0x91b56:$v3: SANDBOX 0x91b66:$v4: VIRUS 0x91bae:$v4: VIRUS 0x91b72:$v5: MALWARE 0x91b82:$v6: SCHMIDTI 0x91b94:$v7: CURRENTUSER
11.2.server.exe.45a61b0.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.45a61b0.7.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x49383:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x680c3:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x493b9:$e2: Add-MpPreference -ExclusionPath 0x680f9:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.45a61b0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x49253:$r1: Classes\Folder\shell\open\command 0x67f93:$r1: Classes\Folder\shell\open\command 0x49279:$k1: DelegateExecute 0x67fb9:$k1: DelegateExecute 0x491c7:$s1: /EXEFilename "{0} 0x67f07:$s1: /EXEFilename "{0} 0x491da:$s2: /WindowState "" 0x49f38:$s2: /WindowState "" 0x67f1a:$s2: /WindowState "" 0x68c78:$s2: /WindowState "" 0x491ef:$s3: /PriorityClass ""32"" /CommandLine " 0x49f4b:$s3: /PriorityClass ""32"" /CommandLine " 0x67f2f:$s3: /PriorityClass ""32"" /CommandLine " 0x68c8b:$s3: /PriorityClass ""32"" /CommandLine " 0x49215:$s4: /StartDirectory " 0x49f71:$s4: /StartDirectory " 0x67f55:$s4: /StartDirectory " 0x68cb1:$s4: /StartDirectory " 0x49228:$s5: /RunAs 0x49f84:$s5: /RunAs 0x67f68:$s5: /RunAs
11.2.server.exe.440db60.5.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.440db60.5.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.440db60.5.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9174e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x917aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.440db60.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x92d3f:$s1: c:\windows\system32\cmstp.exe 0x92adb:$s2: taskkill /IM cmstp.exe /F 0x92997:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x92bcd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.440db60.5.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9151c:$r1: Classes\Folder\shell\open\command 0x91560:$k1: DelegateExecute 0x9141c:$s1: /EXEFilename "{0} 0x91442:$s2: /WindowState "" 0x92e42:$s2: /WindowState "" 0x9146c:$s3: /PriorityClass ""32"" /CommandLine " 0x92e68:$s3: /PriorityClass ""32"" /CommandLine " 0x914b8:$s4: /StartDirectory " 0x92eb4:$s4: /StartDirectory " 0x914de:$s5: /RunAs 0x92eda:$s5: /RunAs
11.2.server.exe.440db60.5.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x91a34:$s1: This file can't run into Virtual Machines 0x91930:$s4: Run without emulation 0x91b0a:$s5: Run using valid operating system 0x91800:$v1: SbieDll.dll 0x9159b:$v2: USER 0x91b4c:$v2: USER 0x91b56:$v3: SANDBOX 0x91b66:$v4: VIRUS 0x91bae:$v4: VIRUS 0x91b72:$v5: MALWARE 0x91b82:$v6: SCHMIDTI 0x91b94:$v7: CURRENTUSER
11.2.server.exe.46b6e50.9.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.46b6e50.9.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.46b6e50.9.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9354e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x935aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.46b6e50.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x94b3f:$s1: c:\windows\system32\cmstp.exe 0x948db:$s2: taskkill /IM cmstp.exe /F 0x94797:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x949cd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.46b6e50.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9331c:$r1: Classes\Folder\shell\open\command 0x93360:$k1: DelegateExecute 0x9321c:$s1: /EXEFilename "{0} 0x93242:$s2: /WindowState "" 0x94c42:$s2: /WindowState "" 0x9326c:$s3: /PriorityClass ""32"" /CommandLine " 0x94c68:$s3: /PriorityClass ""32"" /CommandLine " 0x932b8:$s4: /StartDirectory " 0x94cb4:$s4: /StartDirectory " 0x932de:$s5: /RunAs 0x94cda:$s5: /RunAs
11.2.server.exe.46b6e50.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x93834:$s1: This file can't run into Virtual Machines 0x93730:$s4: Run without emulation 0x9390a:$s5: Run using valid operating system 0x93600:$v1: SbieDll.dll 0x9339b:$v2: USER 0x9394c:$v2: USER 0x93956:$v3: SANDBOX 0x93966:$v4: VIRUS 0x939ae:$v4: VIRUS 0x93972:$v5: MALWARE 0x93982:$v6: SCHMIDTI 0x93994:$v7: CURRENTUSER
11.2.server.exe.4412b50.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.4412b50.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.4412b50.4.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x8e55e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x126b8e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x8e5ba:$e2: Add-MpPreference -ExclusionPath 0x126bea:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.4412b50.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x8fb4f:$s1: c:\windows\system32\cmstp.exe 0x12817f:$s1: c:\windows\system32\cmstp.exe 0x8f8eb:$s2: taskkill /IM cmstp.exe /F 0x127f1b:$s2: taskkill /IM cmstp.exe /F 0x8f7a7:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x127dd7:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x8f9dd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0x12800d:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.4412b50.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x8e32c:$r1: Classes\Folder\shell\open\command 0x12695c:$r1: Classes\Folder\shell\open\command 0x8e370:$k1: DelegateExecute 0x1269a0:$k1: DelegateExecute 0x8e22c:$s1: /EXEFilename "{0} 0x12685c:$s1: /EXEFilename "{0} 0x8e252:$s2: /WindowState "" 0x8fc52:$s2: /WindowState "" 0x126882:$s2: /WindowState "" 0x128282:$s2: /WindowState "" 0x8e27c:$s3: /PriorityClass ""32"" /CommandLine " 0x8fc78:$s3: /PriorityClass ""32"" /CommandLine " 0x1268ac:$s3: /PriorityClass ""32"" /CommandLine " 0x1282a8:$s3: /PriorityClass ""32"" /CommandLine " 0x8e2c8:$s4: /StartDirectory " 0x8fcc4:$s4: /StartDirectory " 0x1268f8:$s4: /StartDirectory " 0x1282f4:$s4: /StartDirectory " 0x8e2ee:$s5: /RunAs 0x8fcea:$s5: /RunAs 0x12691e:$s5: /RunAs
11.2.server.exe.4412b50.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x8e844:$s1: This file can't run into Virtual Machines 0x126e74:$s1: This file can't run into Virtual Machines 0x8e740:$s4: Run without emulation 0x126d70:$s4: Run without emulation 0x8e91a:$s5: Run using valid operating system 0x126f4a:$s5: Run using valid operating system 0x8e610:$v1: SbieDll.dll 0x126c40:$v1: SbieDll.dll 0x8e3ab:$v2: USER 0x8e95c:$v2: USER 0x1269db:$v2: USER 0x126f8c:$v2: USER 0x8e966:$v3: SANDBOX 0x126f96:$v3: SANDBOX 0x8e976:$v4: VIRUS 0x8e9be:$v4: VIRUS 0x126fa6:$v4: VIRUS 0x126fee:$v4: VIRUS 0x8e982:$v5: MALWARE 0x126fb2:$v5: MALWARE 0x8e992:$v6: SCHMIDTI
11.2.server.exe.44a6190.6.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.44a6190.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.44a6190.6.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9354e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x935aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.44a6190.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x94b3f:$s1: c:\windows\system32\cmstp.exe 0x948db:$s2: taskkill /IM cmstp.exe /F 0x94797:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x949cd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.44a6190.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9331c:$r1: Classes\Folder\shell\open\command 0x93360:$k1: DelegateExecute 0x9321c:$s1: /EXEFilename "{0} 0x93242:$s2: /WindowState "" 0x94c42:$s2: /WindowState "" 0x9326c:$s3: /PriorityClass ""32"" /CommandLine " 0x94c68:$s3: /PriorityClass ""32"" /CommandLine " 0x932b8:$s4: /StartDirectory " 0x94cb4:$s4: /StartDirectory " 0x932de:$s5: /RunAs 0x94cda:$s5: /RunAs
11.2.server.exe.44a6190.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x93834:$s1: This file can't run into Virtual Machines 0x93730:$s4: Run without emulation 0x9390a:$s5: Run using valid operating system 0x93600:$v1: SbieDll.dll 0x9339b:$v2: USER 0x9394c:$v2: USER 0x93956:$v3: SANDBOX 0x93966:$v4: VIRUS 0x939ae:$v4: VIRUS 0x93972:$v5: MALWARE 0x93982:$v6: SCHMIDTI 0x93994:$v7: CURRENTUSER
11.2.server.exe.44a6190.6.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.44a6190.6.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.44a6190.6.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9174e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x917aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.44a6190.6.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x92d3f:$s1: c:\windows\system32\cmstp.exe 0x92adb:$s2: taskkill /IM cmstp.exe /F 0x92997:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x92bcd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.44a6190.6.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9151c:$r1: Classes\Folder\shell\open\command 0x91560:$k1: DelegateExecute 0x9141c:$s1: /EXEFilename "{0} 0x91442:$s2: /WindowState "" 0x92e42:$s2: /WindowState "" 0x9146c:$s3: /PriorityClass ""32"" /CommandLine " 0x92e68:$s3: /PriorityClass ""32"" /CommandLine " 0x914b8:$s4: /StartDirectory " 0x92eb4:$s4: /StartDirectory " 0x914de:$s5: /RunAs 0x92eda:$s5: /RunAs
11.2.server.exe.44a6190.6.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x91a34:$s1: This file can't run into Virtual Machines 0x91930:$s4: Run without emulation 0x91b0a:$s5: Run using valid operating system 0x91800:$v1: SbieDll.dll 0x9159b:$v2: USER 0x91b4c:$v2: USER 0x91b56:$v3: SANDBOX 0x91b66:$v4: VIRUS 0x91bae:$v4: VIRUS 0x91b72:$v5: MALWARE 0x91b82:$v6: SCHMIDTI 0x91b94:$v7: CURRENTUSER
11.2.server.exe.46bbe40.10.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.46bbe40.10.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.46bbe40.10.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x8e55e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x8e5ba:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.46bbe40.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x8fb4f:$s1: c:\windows\system32\cmstp.exe 0x8f8eb:$s2: taskkill /IM cmstp.exe /F 0x8f7a7:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x8f9dd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.46bbe40.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x8e32c:$r1: Classes\Folder\shell\open\command 0x8e370:$k1: DelegateExecute 0x8e22c:$s1: /EXEFilename "{0} 0x8e252:$s2: /WindowState "" 0x8fc52:$s2: /WindowState "" 0x8e27c:$s3: /PriorityClass ""32"" /CommandLine " 0x8fc78:$s3: /PriorityClass ""32"" /CommandLine " 0x8e2c8:$s4: /StartDirectory " 0x8fcc4:$s4: /StartDirectory " 0x8e2ee:$s5: /RunAs 0x8fcea:$s5: /RunAs
11.2.server.exe.46bbe40.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x8e844:$s1: This file can't run into Virtual Machines 0x8e740:$s4: Run without emulation 0x8e91a:$s5: Run using valid operating system 0x8e610:$v1: SbieDll.dll 0x8e3ab:$v2: USER 0x8e95c:$v2: USER 0x8e966:$v3: SANDBOX 0x8e976:$v4: VIRUS 0x8e9be:$v4: VIRUS 0x8e982:$v5: MALWARE 0x8e992:$v6: SCHMIDTI 0x8e9a4:$v7: CURRENTUSER
11.2.server.exe.3399760.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.2.server.exe.3399760.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x7049:$s1: netsh firewall delete allowedprogram 0x6fbd:$s2: netsh firewall add allowedprogram 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6c7c:$s4: Execute ERROR 0x6cd4:$s4: Execute ERROR 0x6c98:$s5: Download ERROR
11.2.server.exe.3399760.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6fbd:$a1: netsh firewall add allowedprogram 0x6f8d:$a2: SEE_MASK_NOZONECHECKS 0x71ad:$b1: [TAP] 0x70a9:$c3: cmd.exe /c ping
11.2.server.exe.5724ff0.11.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.5724ff0.11.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.3399760.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f8d:$reg: SEE_MASK_NOZONECHECKS 0x6c7c:$msg: Execute ERROR 0x6cd4:$msg: Execute ERROR 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.server.exe.5724ff0.11.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x8e55e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x8e5ba:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.5724ff0.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x8fb4f:$s1: c:\windows\system32\cmstp.exe 0x8f8eb:$s2: taskkill /IM cmstp.exe /F 0x8f7a7:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x8f9dd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.5724ff0.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x8e32c:$r1: Classes\Folder\shell\open\command 0x8e370:$k1: DelegateExecute 0x8e22c:$s1: /EXEFilename "{0} 0x8e252:$s2: /WindowState "" 0x8fc52:$s2: /WindowState "" 0x8e27c:$s3: /PriorityClass ""32"" /CommandLine " 0x8fc78:$s3: /PriorityClass ""32"" /CommandLine " 0x8e2c8:$s4: /StartDirectory " 0x8fcc4:$s4: /StartDirectory " 0x8e2ee:$s5: /RunAs 0x8fcea:$s5: /RunAs
11.2.server.exe.5724ff0.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x8e844:$s1: This file can't run into Virtual Machines 0x8e740:$s4: Run without emulation 0x8e91a:$s5: Run using valid operating system 0x8e610:$v1: SbieDll.dll 0x8e3ab:$v2: USER 0x8e95c:$v2: USER 0x8e966:$v3: SANDBOX 0x8e976:$v4: VIRUS 0x8e9be:$v4: VIRUS 0x8e982:$v5: MALWARE 0x8e992:$v6: SCHMIDTI 0x8e9a4:$v7: CURRENTUSER
11.2.server.exe.46b6e50.9.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.server.exe.46b6e50.9.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.server.exe.46b6e50.9.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9174e:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x917aa:$e2: Add-MpPreference -ExclusionPath
11.2.server.exe.46b6e50.9.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x92d3f:$s1: c:\windows\system32\cmstp.exe 0x92adb:$s2: taskkill /IM cmstp.exe /F 0x92997:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x92bcd:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
11.2.server.exe.46b6e50.9.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9151c:$r1: Classes\Folder\shell\open\command 0x91560:$k1: DelegateExecute 0x9141c:$s1: /EXEFilename "{0} 0x91442:$s2: /WindowState "" 0x92e42:$s2: /WindowState "" 0x9146c:$s3: /PriorityClass ""32"" /CommandLine " 0x92e68:$s3: /PriorityClass ""32"" /CommandLine " 0x914b8:$s4: /StartDirectory " 0x92eb4:$s4: /StartDirectory " 0x914de:$s5: /RunAs 0x92eda:$s5: /RunAs
11.2.server.exe.46b6e50.9.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x91a34:$s1: This file can't run into Virtual Machines 0x91930:$s4: Run without emulation 0x91b0a:$s5: Run using valid operating system 0x91800:$v1: SbieDll.dll 0x9159b:$v2: USER 0x91b4c:$v2: USER 0x91b56:$v3: SANDBOX 0x91b66:$v4: VIRUS 0x91bae:$v4: VIRUS 0x91b72:$v5: MALWARE 0x91b82:$v6: SCHMIDTI 0x91b94:$v7: CURRENTUSER
Click to see the 103 entries

Sigma Overview

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe, ParentProcessId: 7028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7148

Source: Process started

Author: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6992, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 4552

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7148, ProcessCommandLine: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, ProcessId: 6520

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .., EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\040b20e882d013c0c9f6ceff16d97f7a

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe, ParentProcessId: 7028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 6304

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi

Virustotal: Detection: 8%

Perma Link

Yara detected Njrat

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp	Virustotal: Detection: 15%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)	Virustotal: Detection: 15%			Perma Link

Source: 15.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8}

Jump to behavior

Source:	Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
Source:	Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp

Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\netsh.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: njlove.duckdns.org

Source: Joe Sandbox View

ASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS

Source: unknown

DNS traffic detected: queries for: njlove.duckdns.org

Source: server.exe, 0000000B.00000002.716814871.000000000168B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/JmGPzoRLJm.cs

Large array initialization: cSPokfGgp3: array initializer size 624144

Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3B77.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6537be.msi

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_00F4AD45
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_01661008
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_0166847A
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_0166BA98
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_01664D69
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_01661DE0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_01669E80
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_016672E8
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_01665AC0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_0166BA8E
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B92FA8
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B98F00
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96A20
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91257
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B97BDB
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B93B10
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B94050
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91EB0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B98EF0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91EC0
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B92F98
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B94760
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B99C18
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B99C08
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B90448
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B90446
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91298
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91288
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B93AD9
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B94B83
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B93B0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B5E288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B56FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B5D520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B58930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B56E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B578E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_051D44D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_051D9680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_051D486F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_051D4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 30_2_013A08E2

Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi

Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Terminal.ServiceHub.dllT vs SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll

Source: cfa11b188d32074992aa4060114f8638.tmp.9.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi

Virustotal: Detection: 8%

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6CC46065D10C7A25.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winMSI@36/35@1/1

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\040b20e882d013c0c9f6ceff16d97f7aIG1pY3Jvc29mdA==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2092:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8}

Jump to behavior

Source:	Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
Source:	Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_0166F67E push esi; ret
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B99478 pushfd ; retf
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B93AD9 push 2806B870h; iretd
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B99A08 pushfd ; iretd
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B91247 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B938D7 push es; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B99864 push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96997 push ebx; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96987 push ebx; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B9110B push eax; retf
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96977 push edx; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96967 push ecx; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96958 push ecx; retf 0006h
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Code function: 11_2_06B96947 push eax; retf 0006h
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02B5B182 pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_3_05710938 push A400005Eh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 28_3_04FD0938 push A400005Eh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 30_3_05350938 push A400005Eh; ret

Source: cfa11b188d32074992aa4060114f8638.tmp.9.dr

Static PE information: 0x8E2962A1 [Mon Jul 31 01:21:37 2045 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.96550305867

Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/ZhZRcmjltN.cs

High entropy of concatenated method names: '.ctor', 'PsGSqzcXOd', 'fD6NyRKtch', 'OhvftqmFHr', '0OflgCiW4k', 'fdwXuqxXi1', 'heSDchQ2ge', '5WrS1oqVlc', 'aJUGSZPbYK', 'lkhlKabjuS'

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF62.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA7F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B77.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF62.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B77.tmp	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLD
Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 4100	Thread sleep count: 437 > 30
Source: C:\Windows\System32\msdtc.exe TID: 4100	Thread sleep time: -43700s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2100
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 444

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxARun using valid operating systemUSER
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: RegSvcs.exe, 00000018.00000002.781891461.00000000013E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B52008

.NET source code references suspicious native API functions

Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/u0038IilAeO74h.cs

Reference to suspicious API methods: ('UZTDQyKcgA', 'LoadLibrary@kernel32.dll'), ('7B0eHJViyQ', 'GetProcAddress@kernel32.dll'), ('2Nu1KEnGfG', 'VirtualProtect@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Source: RegSvcs.exe, 0000000F.00000002.927336113.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6l
Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE

Modifies the windows firewall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	1 Input Capture	11 Peripheral Device Discovery	2 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	21 Registry Run Keys / Startup Folder	312 Process Injection	3 Software Packing	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Services File Permissions Weakness	21 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	1 DLL Side-Loading	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Masquerading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	312 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Users	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Services File Permissions Weakness	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi	9%	Virustotal		Browse
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi	0%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp	16%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)	16%	Virustotal	Browse
C:\Windows\Installer\MSI3B77.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI3B77.tmp	0%	Metadefender	Browse
C:\Windows\Installer\MSI3B77.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAA7F.tmp	0%	Metadefender	Browse
C:\Windows\Installer\MSIAA7F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIBF62.tmp	0%	Metadefender	Browse
C:\Windows\Installer\MSIBF62.tmp	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
15.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
11.2.server.exe.3399760.1.unpack	100%	Avira	HEUR/AGEN.1131353	Download File
15.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
15.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
15.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
15.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
njlove.duckdns.org	2%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
njlove.duckdns.org	66.154.111.162	true	true	2%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.154.111.162	njlove.duckdns.org	Canada		46562	TOTAL-SERVER-SOLUTIONSUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562521
Start date:	29.01.2022
Start time:	00:10:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236 (renamed file extension from 13236 to msi)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winMSI@36/35@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.3%) Quality average: 43.1% Quality standard deviation: 42.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 2.20.157.220
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
00:11:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
00:12:02	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
00:12:04	API Interceptor	30x Sleep call for process: RegSvcs.exe modified
00:12:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8093
Entropy (8bit):	5.4465567087908475
Encrypted:	false
SSDEEP:	96:Ymr07+63C9wQeiJYScU0+eD2JtZCsvVDeU0+eD2JtZC6jYPBQAvVDvQGqg5qZW9B:Nr7BeI38C387cUmpq
MD5:	F0C5ADEFCF329EBB98333F599A1A8BAE
SHA1:	D8B9759FA6E1E207DB6E50F80E5E2FFAC4BA92F8
SHA-256:	E3F306A54970543F1287CBE35FA41BCA21BE33A87439736ECBDEEFEB4EF36D8C
SHA-512:	47DB1FDFEBB4FC1A64B487D78218782DB4F5358F60F8103D44B609BE0E1CCA0EC23F44E9906DB508712D1767E58F18B4FA7FF3716A6FA421F2D46E2197A38D86
Malicious:	false
Preview:	...@IXOS.@.....@z.=T.@.....@.....@.....@.....@.....@......&.{8291D67C-2E0B-4E71-B034-09AFE03383E8}X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.,.SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi.@.....@.....@.....@........&.{49C681E5-45C4-4467-92EE-456F1E355C5F}.....@.....@.....@.....@.......@.....@.....@.......@....X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{8291D67C-2E0B-4E71-B034-09AFE03383E8}.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....*.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\..

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1141
Entropy (8bit):	5.340874572595606
Encrypted:	false
SSDEEP:	24:MLzayE4gayE47mE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:M3ayHgayH7mHK5HKXwYHKhQnoPtHoxHe
MD5:	DB2EF3BD59C93968A627D15CC207CBF4
SHA1:	F0C61B1D05A79EDBB9EBB6FFB8C8E217F2BDD62A
SHA-256:	31D645F0A9462B5632F184DF6D131C28ADEA6777C7E42AF8E91643E47447E4C8
SHA-512:	55EC90EE78C75E817F888197CE289202FF8973348DD992DAA4AB791261732AB4006E56F84A4DA449F71A69B7A2F6BD91B4A6D16521AD0CB6D3A4A531851A8F5A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, Public

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, 669935 bytes, 1 file
Category:	dropped
Size (bytes):	669935
Entropy (8bit):	7.957969373333579
Encrypted:	false
SSDEEP:	12288:nkKSpNcjNXmpYpNLKAKMYzh5E4OGF9+AxUH5tXT0rHo7sv0yxYElXXyoZhTUGL:kTNcjk8LKAj6h5E4Z9+SgzDOo7sv0yxX
MD5:	262E1B25CAAB9FABDED95EECFDCB28EB
SHA1:	966B778B45CF788F3F3D34C841D137F8C22AA997
SHA-256:	B17D933378BB378797102613EE8034BEC9B7E73E4540EFA2E48D4B90CB7494D9
SHA-512:	0A5562D3C41657BE46A657C62ECF2D5FF013D559621AB81734B53025F2F76E1F88B39BBCE65B669EC20677A9EB66D3674A048FFF7DAA4D531C6A13F096AF181B
Malicious:	false
Preview:	MSCF.....8......,...................G........8........<TW. .server.exe...3.....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b)...............0.@,..........:L... ...`....@.. ....................................`.................................0K..J....`..............................zK..8............................................ ............... ..H............text...@,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..@................`K......H....... ...Xb..........xJ..............................................e`:C)......0.&............Ndq.t28q..W.z..X.....V...{.("....N.5...V.Z....l...kf..'...".6..`m....`8.).].....z5.:[5....Amy.b......:k..n.Q.N..&....\...../ ..;fsp.B...*........[@..A..h.d......h..-n...ynT...=...$.NsA....7....^.. ....]..,.A....L...E...HI#.a.#....DA.=n.....U1@...>?%....\|r..0...o.L.[9#.."4..m..QW.04A.,.e.&z

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	669696
Entropy (8bit):	7.958276686942886
Encrypted:	false
SSDEEP:	12288:EkKSarcjMXmuYpN0KAKMSzhFE4OUF94Ax/m5GXT0rao7Ev0ixYElXtyoLhTUGe:dQrcjXv0KAjUhFE4794SOMD7o7Ev0ixm
MD5:	CD4D919B4FC88C9D6F03C864A181E40F
SHA1:	F0E56473DEBCF2DFD121E0249908828FE36EA621
SHA-256:	7E6B89DBF95819AC599FF79ACD6CB50DE2A53EE135B51E37DAF00AF7313CE8D6
SHA-512:	3E70ADBDDF558F24349896DD2CD82FCA8A4FA3C732E0966B6A2A16EAD57FB7EBABB810F5C9870C7C928C7C09F365F28C5AD0EBD1B7C0EE6279F7E85B4108D0A8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 16%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b)...............0.@,..........:L... ...`....@.. ....................................`.................................0K..J....`..............................zK..8............................................ ............... ..H............text...@,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..@................`K......H....... ...Xb..........xJ..............................................e`:C)......0.&............Ndq.t28q..W.z..X.....V...{.("....N.5...V.Z....l...kf..'...".6..`m....`8.).].....z5.:[5....Amy.b......:k..n.Q.N..&....\...../ ..;fsp.B...........[@..A..h.d......h..-n...ynT...=...$.NsA....7....^.. ....]..,.A....L...E...HI#.a.#....DA.=n.....U1@...>?%....\|r..0...o.L.[9#.."4..m..QW.04A.,.e.&zI.?PR.p4^..M.o..F<.uFyaw.....>..s-X..-\.(....f...bT>A{.P..us....2..J.m.n.$

Process:	C:\Windows\System32\msdtc.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.32056240596048735
Encrypted:	false
SSDEEP:	6:QKt3dEX8ta/ygA5UMclSqlPMclX/7EJRD/tz8gYbOCzE5Zm3n+SkSJkJIOcuCjHF:zaX80y52xX/7En7q6CzE5Z2+fqjFhl
MD5:	7A141E48D07008633F69DE5A0962C3D7
SHA1:	427889058B5A3401D1F3028EACDA31BD8F88C0A7
SHA-256:	CFDDD10FED936C66EB0DA9D65478D057B26E6095976976CA95D85C1113A61FE7
SHA-512:	534413FB19E57EBA818C170EFAF5164A095A38D7A5948D329A315C90E3C199294ED1238EAC015FA16A6656B8161BA045F12B834223061DF15C04559AA0C21D07
Malicious:	false
Preview:	.@..X...X.......................................X...!...................................5._-.............@.......B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................:......... ........w............M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.........5._-............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071, Subject: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: x64;1033, Revision Number: {49C681E5-45C4-4467-92EE-456F1E355C5F}, Create Time/Date: Sun Feb 7 22:37:14 2021, Last Saved Time/Date: Sun Feb 7 22:37:14 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
Entropy (8bit):	7.70038526988355
TrID:	Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36%
File name:	SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi
File size:	921600
MD5:	1d59589778c525aadcb645270cee737c
SHA1:	ad4584c1b7734854939c59674cbbf22a99618285
SHA256:	1f95063441e9d231e0e2b15365a8722c5136c2a6fe2716f3653c260093026354
SHA512:	11d4394566efe3bc75336d90371017ea0e4e9edc556736e2537201afb648e9c2167beb82ca87c3cc4a4b23603d49eb19bfc403c782858f0e781bb127771109d9
SSDEEP:	24576:StZcpVJ78TNcjk8LKAj6h5E4Z9+SgzDOo7sv0yx3FXyoUc:Rpz78OI/i4nhgzDOo3yLC+
File Content Preview:	........................>......................................................................................................................................................................................................................................

Has Summary Info:	True
Application Name:	MSI Wrapper (10.0.50.0)
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Code Page:	1252
Title:	Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071
Subject:	Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Author:	Microsoft Corporation
Keywords:	Installer
Template:	x64;1033
Revion Number:	{49C681E5-45C4-4467-92EE-456F1E355C5F}
Create Time:	2021-02-07 22:37:14
Last Saved Time:	2021-02-07 22:37:14
Number of Pages:	200
Number of Words:	2
Creating Application:	MSI Wrapper (10.0.50.0)
Security:	2

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	136
Entropy:	3.23907469015
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . X . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 58 00 00 00 03 00 00 00 01 00 00 00 28 00 00 00 00 00 00 80 30 00 00 00 0f 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 13 00 00 00 09 04 00 00 1e 00 00 00 16 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	588
Entropy:	4.89141384854
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . x . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l e r . . . . . . . . . . . x 6 4 ; 1 0 3 3 . . . . . . . . ' . . . { 4 9 C 6 8 1 E 5 - 4 5 C 4 - 4 4 6 7 - 9 2 E E - 4 5 6 F 1 E 3
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 1c 02 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 28 01 00 00 03 00 00 00 98 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480
File Type:	Microsoft Cabinet archive data, 669935 bytes, 1 file
Stream Size:	669935
Entropy:	7.95796937333
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . 8 . . . . . . , . . . . . . . . . . . . . . . . . . . G . . . . . . . . 8 . . . . . . . . < T W . . s e r v e r . e x e . . . 3 . . . . . M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . P E . . L . . . . b ) . . . . . . . . . . . . . . . 0 . @ , . . . . . . . . . . : L . . . . . .
Data Raw:	4d 53 43 46 00 00 00 00 ef 38 0a 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 9b 8e 00 00 47 00 00 00 15 00 00 00 00 38 0a 00 00 00 00 00 00 00 3c 54 57 80 20 00 73 65 72 76 65 72 2e 65 78 65 00 99 0a 33 f0 00 80 00 80 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	212992
Entropy:	6.51349522999
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . . . . p . . . p . . . p . . . . . . . p . . . . . . . p . . . . . / . p . . . . . . . p . . . q . % . p . . . . . . . p . . . . . . . p . . . . . . . p . R i c h . . p . . . . . . . . . . . . . . . . . . . . . . . . . P E . . L . . . . k ` . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	672
Entropy:	4.76447414203
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00 74 00 77 00

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ISO-8859 text, with very long lines, with no line terminators
Stream Size:	8555
Entropy:	5.07763841758
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e C o l u m n _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	1216
Entropy:	3.08768728885
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . .
Data Raw:	00 00 00 00 04 00 06 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0b 00 15 00 05 00 05 00 01 00 2c 00 0a 00 01 00 13 00 02 00 0b 00 06 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 19 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 2a 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 09 00

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	38
Entropy:	3.12396375672
Base64 Encoded:	False
Data ASCII:	. . " . ) . * . + . / . 5 . = . M . \\ . a . o . r . s . t . w . . . . . . .
Data Raw:	06 00 22 00 29 00 2a 00 2b 00 2f 00 35 00 3d 00 4d 00 5c 00 61 00 6f 00 72 00 73 00 74 00 77 00 82 00 86 00 90 00

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	2064
Entropy:	2.38126922111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . . . - . % . / . 1 . 4 . 7 . : . 5 . I . K . . . # . @ . C . F . . . 4 . 7 . M . O .
Data Raw:	06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00

General
Stream Path:	\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	e1 00 e2 00

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	48
Entropy:	3.06842109407
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . < . . . . .
Data Raw:	9d 00 9e 00 9f 00 a0 00 a1 00 a2 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	24
Entropy:	2.59436093777
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	9d 00 9e 00 9f 00 a5 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	42
Entropy:	2.9135675273
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . .
Data Raw:	9d 00 9f 00 a0 00 a1 00 a4 00 a6 00 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6537bf.rbs

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log

C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files.cab

C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp

C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini

C:\Windows\Installer\6537be.msi

C:\Windows\Installer\6537c0.msi

C:\Windows\Installer\MSI3B77.tmp

C:\Windows\Installer\MSIAA7E.tmp

C:\Windows\Installer\MSIAA7F.tmp

C:\Windows\Installer\MSIBF62.tmp

C:\Windows\Installer\SourceHash{8291D67C-2E0B-4E71-B034-09AFE03383E8}

C:\Windows\Installer\inprogressinstallinfo.ipi

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	cc 00 aa 00

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	386 compact demand paged pure executable
Stream Size:	16
Entropy:	1.9197367178
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . .
Data Raw:	cc 00 00 00 cd 00 00 00 02 80 01 80 00 00 00 80

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	0.946372935985
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . .
Data Raw:	01 80 00 00 00 80 00 00 00 00 00 00 00 00

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	data
Stream Size:	60
Entropy:	3.52924126798
Base64 Encoded:	False
Data ASCII:	. . . . " . % . ( . . . . . . . . . . . . . . . . . . . . . . . . # . & . ) . . . ! . $ . ' . * . . . . . . . . . . .
Data Raw:	ad 00 1f 01 22 01 25 01 28 01 ff 7f ff 7f ff 7f ff 7f ff 7f 1c 01 1c 01 1c 01 1c 01 1c 01 1d 01 20 01 23 01 26 01 29 01 1e 01 21 01 24 01 27 01 2a 01 aa 00 aa 00 aa 00 aa 00 aa 00

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	data
Stream Size:	8
Entropy:	1.75
Base64 Encoded:	False
Data ASCII:	. . . . . . . .
Data Raw:	a8 00 a9 00 01 00 01 00

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	18
Entropy:	2.10218717095
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . .
Data Raw:	ac 00 c7 00 c9 00 c7 00 c9 00 00 00 c8 00 ca 00 cb 00

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	216
Entropy:	4.29485555194
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . . @ . . . ( . . . p . . . ! . y . . .
Data Raw:	9d 00 9e 00 9f 00 a0 00 a1 00 a3 00 a4 00 a6 00 a7 00 ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 cf 00 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 d8 00 d9 00 db 00 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 dc 00 dc 00 de 00 de 00 de 00 de 00 de 00 da 00 dd 00 dd 00 dd 00 dd 00 dd 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	48
Entropy:	3.11008776073
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . .
Data Raw:	9d 00 9e 00 9f 00 a5 00 cf 00 d0 00 d1 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 19 80 64 80 bc 82 b0 84

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	Dyalog APL aplcore version 171.0
Stream Size:	12
Entropy:	2.29248125036
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . .
Data Raw:	aa 00 ab 00 ac 00 04 81 00 00 ad 00

General
Stream Path:	\x18496\x17630\x17770\x16868\x18472
File Type:	data
Stream Size:	32
Entropy:	2.1983911108
Base64 Encoded:	False
Data ASCII:	/ . / . . . - . - . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	2f 01 2f 01 00 00 2d 01 2d 01 00 00 00 00 00 00 01 00 00 80 02 00 00 80 00 00 00 00 19 01 18 01