Windows Analysis Report
Game Laucher.exe

AI detected suspicious sample

Source: Yara match	File source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Game Laucher.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows process.exe PID: 5880, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Joe Sandbox ML: detected
Source: C:\windows process.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Game Laucher.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Game Laucher.exe

Unpacked PE file: 0.2.Game Laucher.exe.30000.0.unpack

Source: Game Laucher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Game Laucher.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Creates autorun.inf (USB autostart)

Spreading

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

File created: C:\autorun.inf

Snort IDS alert for network traffic

Source: Game Laucher.exe	Binary or memory string: autorun.inf
Source: Game Laucher.exe	Binary or memory string: [autorun]
Source: Game Laucher.exe, 00000000.00000002.2267012943.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Game Laucher.exe, 00000000.00000002.2267012943.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Game Laucher.exe, 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: Game Laucher.exe, 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: windows process.exe, 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: windows process.exe, 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: autorun.inf.2.dr	Binary or memory string: [autorun]

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Code function: 2_2_00727490 FindFirstFileW,

2_2_00727490

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\System32\en-US\KERNELBASE.dll.mui	Jump to behavior

Networking

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.6:49717 -> 18.192.93.86:16943
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49731 -> 18.156.13.209:16943
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49731 -> 18.156.13.209:16943
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49731 -> 18.156.13.209:16943
Source: Traffic	Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.6:49731 -> 18.156.13.209:16943
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.6:49731 -> 18.156.13.209:16943

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 18.192.93.86 ports 1,3,4,6,16943,9
Source: global traffic	TCP traffic: 18.156.13.209 ports 1,3,4,6,16943,9

Source: global traffic	TCP traffic: 192.168.2.6:49717 -> 18.192.93.86:16943
Source: global traffic	TCP traffic: 192.168.2.6:49731 -> 18.156.13.209:16943

Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86
Source: Joe Sandbox View	IP Address: 18.156.13.209 18.156.13.209

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 2.tcp.eu.ngrok.io

Source: windows process.exe, 00000002.00000002.4660226910.00000000007E6000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: Game Laucher.exe, 00000000.00000002.2264581590.000000000004A000.00000040.00000001.01000000.00000003.sdmp, windows process.exe, 00000002.00000002.4660226910.00000000007E6000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: Game Laucher.exe, Game Laucher.exe, 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, windows process.exe, 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

E-Banking Fraud

Protects its processes via BreakOnTermination flag

Source: Yara match	File source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Game Laucher.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows process.exe PID: 5880, type: MEMORYSTR

Operating System Destruction

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Process information set: 01 00 00 00

Malicious sample detected (through community Yara rule)

System Summary

Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

PE file contains section with special chars

Source: Game Laucher.exe	Static PE information: section name: .data P
Source: windows process.exe.0.dr	Static PE information: section name: .data P
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name: .data P
Source: windows process.exe.2.dr	Static PE information: section name: .data P

PE file has nameless sections

Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F650 NtSetInformationFile,	2_2_0074F650
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F646 NtClose,	2_2_0074F646
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F6B8 NtReadFile,	2_2_0074F6B8
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F710 NtCreateFile,	2_2_0074F710
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F7F0 NtProtectVirtualMemory,	2_2_0074F7F0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074FBD0 NtClose,VirtualFree,	2_2_0074FBD0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F070 NtEnumerateKey,	2_2_0074F070
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F028 NtCreateKey,	2_2_0074F028
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F0B0 NtSetValueKey,	2_2_0074F0B0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F174 NtLoadKey2,	2_2_0074F174
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F17E NtNotifyChangeKey,	2_2_0074F17E
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F142 NtLoadKey,	2_2_0074F142
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F13A NtFlushKey,	2_2_0074F13A
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F102 NtDeleteKey,	2_2_0074F102
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F10A NtDeleteValueKey,	2_2_0074F10A
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F1E0 NtQueryMultipleValueKey,	2_2_0074F1E0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F27C NtSetInformationKey,	2_2_0074F27C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F25E NtSaveKey,	2_2_0074F25E
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F234 NtReplaceKey,	2_2_0074F234
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F23E NtRestoreKey,	2_2_0074F23E
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F2E0 NtWriteFile,	2_2_0074F2E0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F2C2 NtTerminateProcess,	2_2_0074F2C2
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F2BA NtUnloadKey,	2_2_0074F2BA
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F36C NtQueryDirectoryFile,	2_2_0074F36C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F338 NtQueryObject,	2_2_0074F338
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F3F2 NtDuplicateObject,	2_2_0074F3F2
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F3E8 NtOpenSection,	2_2_0074F3E8
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F43C NtQueryVolumeInformationFile,	2_2_0074F43C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F4EC NtUnlockFile,	2_2_0074F4EC
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F482 NtDeleteFile,	2_2_0074F482
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F48A NtLockFile,	2_2_0074F48A
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F558 NtQuerySection,	2_2_0074F558
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F54F NtUnmapViewOfSection,	2_2_0074F54F
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F533 NtQueryFullAttributesFile,	2_2_0074F533
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F5EC NtCreateSection,	2_2_0074F5EC
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F58C NtMapViewOfSection,	2_2_0074F58C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F634 NtClose,	2_2_0074F634
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F684 NtQueryInformationFile,	2_2_0074F684
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F778 NtOpenFile,	2_2_0074F778
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074F7CB NtQueryAttributesFile,	2_2_0074F7CB
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EBE4 NtCreateThread,	2_2_0074EBE4
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EC50 NtCreateProcess,	2_2_0074EC50
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EC47 NtResumeThread,	2_2_0074EC47
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074ECF8 NtCreateUserProcess,	2_2_0074ECF8
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074ECA0 NtCreateProcessEx,	2_2_0074ECA0
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074ED60 NtOpenKeyEx,	2_2_0074ED60
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EDD4 NtSetSecurityObject,	2_2_0074EDD4
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EDDE NtQuerySecurityObject,	2_2_0074EDDE
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074ED8C NtSetVolumeInformationFile,	2_2_0074ED8C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EE6C NtFsControlFile,	2_2_0074EE6C
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EE14 NtNotifyChangeDirectoryFile,	2_2_0074EE14
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EEFB NtExtendSection,	2_2_0074EEFB
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EEDF NtFlushBuffersFile,	2_2_0074EEDF
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EF72 NtEnumerateValueKey,	2_2_0074EF72
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EF68 NtOpenKey,	2_2_0074EF68
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EF04 NtAccessCheck,	2_2_0074EF04
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EFE8 NtQueryValueKey,	2_2_0074EFE8
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_0074EFB4 NtQueryKey,	2_2_0074EFB4
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_037E052A NtQuerySystemInformation,	2_2_037E052A
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_037E010E NtSetInformationProcess,	2_2_037E010E
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_037E04EF NtQuerySystemInformation,	2_2_037E04EF
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_037E00EC NtSetInformationProcess,	2_2_037E00EC

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\windows process.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\windows process.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Code function: 2_2_03643258

2_2_03643258

Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: String function: 0004E264 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: String function: 00700D9C appears 67 times

Source: Game Laucher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: Game Laucher.exe	Static PE information: Section: .data P ZLIB complexity 0.997179533305921
Source: windows process.exe.0.dr	Static PE information: Section: .data P ZLIB complexity 0.997179533305921
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: Section: .data P ZLIB complexity 0.997179533305921
Source: windows process.exe.2.dr	Static PE information: Section: .data P ZLIB complexity 0.997179533305921

Source: classification engine

Classification label: mal100.spre.troj.adwa.evad.winEXE@9/9@2/2

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_030ABDA2 AdjustTokenPrivileges,		2_2_030ABDA2
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Code function: 2_2_030ABD6B AdjustTokenPrivileges,		2_2_030ABD6B

Source: C:\Users\user\Desktop\Game Laucher.exe

Code function: 0_2_001B796C GetDiskFreeSpaceExA,

0_2_001B796C

Source: C:\Users\user\Desktop\Game Laucher.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Game Laucher.exe.log

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Mutant created: \Sessions\1\BaseNamedObjects\b0eb5dd3a6fc209e7aa02e6880775930
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03

Source: C:\Users\user\Desktop\Game Laucher.exe

File created: C:\Users\user\AppData\Local\Temp\windows process.exe

Source: C:\Users\user\Desktop\Game Laucher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\Game Laucher.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Game Laucher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Game Laucher.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Game Laucher.exe

File read: C:\Users\user\Desktop\Game Laucher.exe

Source: unknown	Process created: C:\Users\user\Desktop\Game Laucher.exe "C:\Users\user\Desktop\Game Laucher.exe"
Source: C:\Users\user\Desktop\Game Laucher.exe	Process created: C:\Users\user\AppData\Local\Temp\windows process.exe "C:\Users\user\AppData\Local\Temp\windows process.exe"
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\windows process.exe" "windows process.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Game Laucher.exe	Process created: C:\Users\user\AppData\Local\Temp\windows process.exe "C:\Users\user\AppData\Local\Temp\windows process.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\windows process.exe" "windows process.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Game Laucher.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: Game Laucher.exe

Static file information: File size 1150464 > 1048576

Source: C:\Users\user\Desktop\Game Laucher.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Detected unpacking (changes PE section rights)

Data Obfuscation

Source: C:\Users\user\Desktop\Game Laucher.exe	Unpacked PE file: 0.2.Game Laucher.exe.30000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Unpacked PE file: 2.2.windows process.exe.6e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Game Laucher.exe

Unpacked PE file: 0.2.Game Laucher.exe.30000.0.unpack

Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name:
Source: Game Laucher.exe	Static PE information: section name: .data P
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name:
Source: windows process.exe.0.dr	Static PE information: section name: .data P
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name:
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name: .data P
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name:
Source: windows process.exe.2.dr	Static PE information: section name: .data P

Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00076EC8 push 00076F17h; ret	0_2_00076F0F
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0003751D push es; retf	0_2_00037528
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00066104 push ecx; mov dword ptr [esp], edx	0_2_00066109
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0006A19C push ecx; mov dword ptr [esp], edx	0_2_0006A19E
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0006632C push ecx; mov dword ptr [esp], edx	0_2_00066331
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0005A365 push 0005A6D8h; ret	0_2_0005A6D0
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0005A370 push 0005A6D8h; ret	0_2_0005A6D0
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000523EA push 00052418h; ret	0_2_00052410
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0007040C push ecx; mov dword ptr [esp], edx	0_2_00070411
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00052424 push 00052450h; ret	0_2_00052448
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00066448 push ecx; mov dword ptr [esp], edx	0_2_0006644D
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00064454 push 000644A1h; ret	0_2_00064499
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0005245C push 00052488h; ret	0_2_00052480
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0006648C push ecx; mov dword ptr [esp], edx	0_2_00066491
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00052494 push 000524C0h; ret	0_2_000524B8
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000524F8 push 0005252Ch; ret	0_2_00052524
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00062536 push 000625B5h; ret	0_2_000625AD
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0006854C push ecx; mov dword ptr [esp], edx	0_2_0006854D
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000505F0 push 00050641h; ret	0_2_00050639
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0005A6DA push 0005A74Bh; ret	0_2_0005A743
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00062804 push 00062830h; ret	0_2_00062828
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0005A85E push 0005A88Ch; ret	0_2_0005A884
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000508AA push 000508D8h; ret	0_2_000508D0
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00050968 push 00050994h; ret	0_2_0005098C
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00068F70 push ecx; mov dword ptr [esp], ecx	0_2_00068F75
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0004CF90 push eax; ret	0_2_0004CFCC
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000633A0 push 00063400h; ret	0_2_000633F8
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00063456 push 000635A4h; ret	0_2_0006359C
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_0006162C push 000616A2h; ret	0_2_0006169A
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_00063684 push ecx; mov dword ptr [esp], ecx	0_2_00063687
Source: C:\Users\user\Desktop\Game Laucher.exe	Code function: 0_2_000616A4 push 0006174Ch; ret	0_2_00061744

Source: Game Laucher.exe	Static PE information: section name: entropy: 7.953883778943793
Source: Game Laucher.exe	Static PE information: section name: .rsrc entropy: 7.885616164638959
Source: Game Laucher.exe	Static PE information: section name: .data P entropy: 7.986419269749442
Source: windows process.exe.0.dr	Static PE information: section name: entropy: 7.953883778943793
Source: windows process.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.885616164638959
Source: windows process.exe.0.dr	Static PE information: section name: .data P entropy: 7.986419269749442
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name: entropy: 7.953883778943793
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name: .rsrc entropy: 7.885616164638959
Source: b0eb5dd3a6fc209e7aa02e6880775930.exe.2.dr	Static PE information: section name: .data P entropy: 7.986419269749442
Source: windows process.exe.2.dr	Static PE information: section name: entropy: 7.953883778943793
Source: windows process.exe.2.dr	Static PE information: section name: .rsrc entropy: 7.885616164638959
Source: windows process.exe.2.dr	Static PE information: section name: .data P entropy: 7.986419269749442

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\windows process.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Game Laucher.exe	File created: C:\Users\user\AppData\Local\Temp\windows process.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

File created: C:\windows process.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930	Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Memory allocated: 37F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Memory allocated: 2EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Memory allocated: 35D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Memory allocated: 3F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Memory allocated: 3CC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: threadDelayed 2151	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: threadDelayed 1874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: threadDelayed 2984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: threadDelayed 1468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: foregroundWindowGot 539	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Window / User API: foregroundWindowGot 1425	Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe TID: 5576	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe TID: 3108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe TID: 5028	Thread sleep time: -2151000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe TID: 6960	Thread sleep time: -1874000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe TID: 5028	Thread sleep time: -1468000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Code function: 2_2_00727490 FindFirstFileW,

2_2_00727490

Source: C:\Users\user\Desktop\Game Laucher.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: C:\Windows\System32\en-US\KERNELBASE.dll.mui	Jump to behavior

Source: windows process.exe, 00000002.00000002.4660226910.000000000074B000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VBoxService.exe
Source: Game Laucher.exe, Game Laucher.exe, 00000000.00000002.2264581590.0000000000190000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: Game Laucher.exe, 00000000.00000002.2265236834.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11
Source: Game Laucher.exe, Game Laucher.exe, 00000000.00000002.2264581590.0000000000190000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: windows process.exe, 00000002.00000002.4660226910.000000000074B000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VMWare
Source: Game Laucher.exe, 00000000.00000002.2265236834.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Game Laucher.exe, 00000000.00000002.2264581590.0000000000190000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: windows process.exe, 00000002.00000002.4660226910.000000000074B000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: &VBoxService.exe
Source: windows process.exe, 00000002.00000002.4660894310.00000000015FB000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.2333244460.0000000002CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Game Laucher.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\Game Laucher.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Game Laucher.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Open window title or class name: ollydbg

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: SIWDEBUG
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	File opened: SICE

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Game Laucher.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\Game Laucher.exe

Process created: C:\Users\user\AppData\Local\Temp\windows process.exe "C:\Users\user\AppData\Local\Temp\windows process.exe"

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe

Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows process.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Code function: 2_2_0074DCC0 GetTimeZoneInformation,

2_2_0074DCC0

Source: C:\Users\user\Desktop\Game Laucher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies the windows firewall

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\windows process.exe" "windows process.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\windows process.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\windows process.exe" "windows process.exe" ENABLE

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Game Laucher.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows process.exe PID: 5880, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.Game Laucher.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Game Laucher.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windows process.exe PID: 5880, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	1 Windows Management Instrumentation	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	211 Disable or Modify Tools	LSASS Memory	311 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	241 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	241 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Game Laucher.exe	53%	ReversingLabs	Win32.Packed.Enigma
Game Laucher.exe	100%	Avira	TR/Crypt.XPACK.Gen
Game Laucher.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\windows process.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\windows process.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\windows process.exe	100%	Joe Sandbox ML
C:\windows process.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\windows process.exe	53%	ReversingLabs	Win32.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe	53%	ReversingLabs	Win32.Backdoor.njRAT
C:\windows process.exe	53%	ReversingLabs	Win32.Backdoor.njRAT

Source	Detection	Scanner	Label
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	0%	Avira URL Cloud	safe
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware
http://www.enigmaprotector.com/	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/openU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.192.93.86	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	Game Laucher.exe, Game Laucher.exe, 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, windows process.exe, 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enigmaprotector.com/	windows process.exe, 00000002.00000002.4660226910.00000000007E6000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enigmaprotector.com/openU	Game Laucher.exe, 00000000.00000002.2264581590.000000000004A000.00000040.00000001.01000000.00000003.sdmp, windows process.exe, 00000002.00000002.4660226910.00000000007E6000.00000040.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.192.93.86	2.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true
18.156.13.209	unknown	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1469270
Start date and time:	2024-07-08 18:12:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Game Laucher.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.evad.winEXE@9/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 54% Number of executed functions: 184 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, SearchApp.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Game Laucher.exe

Simulations

Behavior and APIs

Time	Type	Description
12:13:48	API Interceptor	4364728x Sleep call for process: windows process.exe modified
18:13:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930 "C:\Users\user\AppData\Local\Temp\windows process.exe" ..
18:13:33	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930 "C:\Users\user\AppData\Local\Temp\windows process.exe" ..
18:13:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run b0eb5dd3a6fc209e7aa02e6880775930 "C:\Users\user\AppData\Local\Temp\windows process.exe" ..
18:13:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.156.13.209	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	10.exe	Get hash	malicious	Unknown	Browse	18.192.93.86
	En3e396wX1.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	ZxocxU01PB.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	4xKDL5YCfQ.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	R3ov8eFFFP.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	Ve0c8i5So2.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	LMQV4V1d3E.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	b8UsrDOVGV.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	BHp5Is5Xe7.exe	Get hash	malicious	Njrat	Browse	18.192.93.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://us-west-2.protection.sophos.com/?d=exactag.com&u=aHR0cHM6Ly9tLmV4YWN0YWcuY29tL2FpLmFzcHg_dGM9ZDkyODI0MDNiYzQwYjA3MjA1YmJkMjZhMjNhOGQyZTZiNmI0ZjkmdXJsPS8vamtvbGV3b2lka2pqanVlaXV3dWVpa3N1ZWhtaXdramVodWl3aWplbS5wYWdlcy5kZXYvIz9lbWFpbD1kMmRoYkd4aFoyaGxja0IzYVd4c2FXRnRjMkoxY21kaGRYUnZMbU52YlE9PQ==&p=m&i=NjMxYTA3MTQzYzM4OGExMWNhNTUxMjM3&t=M2MzLzlOanJsS2xuWlREbDkvZnVrQnRKZUgvY05SdUszRk92MWFQV0JUcz0=&h=22cc77147c96407ab786e61486ffe8f8&s=AVNPUEhUT0NFTkNSWVBUSVaj2MyeOPMPdOTEGVo_dGllpNUTdUTDvA7RNZ7HJM-6vQ	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.157.194.47
	Scan_Doc-00024.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.157.194.47
	http://le100.net	Get hash	malicious	Unknown	Browse	54.76.66.215
	Complete with Docusign_ June_Commission-Report.pdf.eml	Get hash	malicious	HTMLPhisher	Browse	52.89.98.217
	Order 81307529516.LZ.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	https://hr.economictimes.indiatimes.com/etl.php?url=https://link.mail.beehiiv.com/ls/click?upn=u001.C7CyaRD6J7Tdcqj9-2FMOqGE7r0wgi8kv64sAcgUPyKxo5WVoDX535gK1GDXQwPdAQrihn70HxgcGt2YBaUq1CgXa4w9UpnKYDWVk4wstl4BzTl0nByfbAMK9adrJtPNZDcYNrLz06jcC5tefVJ0MSELmrJVBWp2H-2FJNpadLpkW49aZHb0SN7faZdRSrGyWuvMdp4__d7CEfkoadLhLBotLDjFJV7Gf-2FGq-2FLbbkNC53nfsKxrXBgvOKDfwaSxCVShLSUOB96Cn1WOBmKtjwKglvs4Ik-2BSw75NpxJFloSreNjVrf23EvzQ1FRnAoElvJF-2B8D-2BMukEyUOFyqiDfOcPKVuQi4IrT2aGHp2KaoeXacWORZxyg-2BV2JHBFjW8KSG6ohd2I1l-2Bys1eXb0UaY6hTGOmp7v7bQMT64tqZtgUnbI7dAvCSbjKmaiKyIN7QZWXlla-2Bl8SOGSAyzrZKFQV17NyAoV171-2FYqo1ABGkQoLEipNqxGy4lfga0v-2FXAFNABPZkTJ1ZqclpC2FUhBDYSM-2Bab4YaBlh-2BErAoNeIxttwbVnYGtNKIF4zBYqTFz4qjHn2b3VZ8BmkRPY4ofkEnlvrjKe2YQtpdmmW90mogImF21NdSt2XKUr9ey1x1i70RJFZn5ES3dC	Get hash	malicious	Unknown	Browse	108.139.243.59
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.20958.13318.rtf	Get hash	malicious	FormBook	Browse	52.52.24.52
	https://t.apemail.net/c/nqkqivaeafkveu2tdidqguiddibqeakudjkqoakvdihvmb2tkiaagdydaihfmfi3audqkaifbyabwaabbyhqcbafaanq4byoaedqeaipamnqogyvpf3bkgyvafkambqpkikwu-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmcqabipaidqagyfaycqiaibainqkbyfaecq4aa3aubq4dqfbyaaegyvarkaiakvkjjvggqhaniqggqdaiavigsva4avkgqpkydvguqaamhqgaqokykrwdqhbyaqoaqbb4brwfl3ijmvmrixpfjeaf3okjlekfy2c4dqefy7mzbf4vc4c5sfewktdykrwflfojqx44tacunqaaiob4aqibiadmkv6q2di5ca2gaylbnv6wcblzavqvkfdfkfqwqzkvcrqvsaivcugvcylfbvmvcddbqqiy3odabx6x2pbydu4qcwdfpugws3cunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflk	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	65.9.86.73
	https://www.bing.com/ck/a?!&&p=1c2e03d92a757c8bJmltdHM9MTcyMDA1MTIwMCZpZ3VpZD0xN2U2ZWM4Ni1jZTFkLTY0ODgtMDE5Yy1mODM0Y2ZkZDY1ZDYmaW5zaWQ9NTMwOQ&ptn=3&ver=2&hsh=3&fclid=17e6ec86-ce1d-6488-019c-f834cfdd65d6&u=a1aHR0cHM6Ly93d3cuZGlyZWl0b2RlbGFzcG9yZWxhcy5jb20uYnIvbXlwYWdlL2xvZ2lu&#amVpc2ZlbGRlckBtZW5vbWluZWVjYXNpbm9yZXNvcnQuY29t	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	13.227.219.11
	https://mail.pfl.fyi/v1/messages/01907499-c522-7db0-8f73-8ecef125b6ef/click?link_id=01907499-c784-79b1-9586-0af27d2ecc90&signature=435c599a2ffdd44fb638aab33a856024482c0588	Get hash	malicious	Tycoon2FA	Browse	13.226.184.73
AMAZON-02US	https://us-west-2.protection.sophos.com/?d=exactag.com&u=aHR0cHM6Ly9tLmV4YWN0YWcuY29tL2FpLmFzcHg_dGM9ZDkyODI0MDNiYzQwYjA3MjA1YmJkMjZhMjNhOGQyZTZiNmI0ZjkmdXJsPS8vamtvbGV3b2lka2pqanVlaXV3dWVpa3N1ZWhtaXdramVodWl3aWplbS5wYWdlcy5kZXYvIz9lbWFpbD1kMmRoYkd4aFoyaGxja0IzYVd4c2FXRnRjMkoxY21kaGRYUnZMbU52YlE9PQ==&p=m&i=NjMxYTA3MTQzYzM4OGExMWNhNTUxMjM3&t=M2MzLzlOanJsS2xuWlREbDkvZnVrQnRKZUgvY05SdUszRk92MWFQV0JUcz0=&h=22cc77147c96407ab786e61486ffe8f8&s=AVNPUEhUT0NFTkNSWVBUSVaj2MyeOPMPdOTEGVo_dGllpNUTdUTDvA7RNZ7HJM-6vQ	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.157.194.47
	Scan_Doc-00024.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.157.194.47
	http://le100.net	Get hash	malicious	Unknown	Browse	54.76.66.215
	Complete with Docusign_ June_Commission-Report.pdf.eml	Get hash	malicious	HTMLPhisher	Browse	52.89.98.217
	Order 81307529516.LZ.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	https://hr.economictimes.indiatimes.com/etl.php?url=https://link.mail.beehiiv.com/ls/click?upn=u001.C7CyaRD6J7Tdcqj9-2FMOqGE7r0wgi8kv64sAcgUPyKxo5WVoDX535gK1GDXQwPdAQrihn70HxgcGt2YBaUq1CgXa4w9UpnKYDWVk4wstl4BzTl0nByfbAMK9adrJtPNZDcYNrLz06jcC5tefVJ0MSELmrJVBWp2H-2FJNpadLpkW49aZHb0SN7faZdRSrGyWuvMdp4__d7CEfkoadLhLBotLDjFJV7Gf-2FGq-2FLbbkNC53nfsKxrXBgvOKDfwaSxCVShLSUOB96Cn1WOBmKtjwKglvs4Ik-2BSw75NpxJFloSreNjVrf23EvzQ1FRnAoElvJF-2B8D-2BMukEyUOFyqiDfOcPKVuQi4IrT2aGHp2KaoeXacWORZxyg-2BV2JHBFjW8KSG6ohd2I1l-2Bys1eXb0UaY6hTGOmp7v7bQMT64tqZtgUnbI7dAvCSbjKmaiKyIN7QZWXlla-2Bl8SOGSAyzrZKFQV17NyAoV171-2FYqo1ABGkQoLEipNqxGy4lfga0v-2FXAFNABPZkTJ1ZqclpC2FUhBDYSM-2Bab4YaBlh-2BErAoNeIxttwbVnYGtNKIF4zBYqTFz4qjHn2b3VZ8BmkRPY4ofkEnlvrjKe2YQtpdmmW90mogImF21NdSt2XKUr9ey1x1i70RJFZn5ES3dC	Get hash	malicious	Unknown	Browse	108.139.243.59
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.20958.13318.rtf	Get hash	malicious	FormBook	Browse	52.52.24.52
	https://t.apemail.net/c/nqkqivaeafkveu2tdidqguiddibqeakudjkqoakvdihvmb2tkiaagdydaihfmfi3audqkaifbyabwaabbyhqcbafaanq4byoaedqeaipamnqogyvpf3bkgyvafkambqpkikwu-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmcqabipaidqagyfaycqiaibainqkbyfaecq4aa3aubq4dqfbyaaegyvarkaiakvkjjvggqhaniqggqdaiavigsva4avkgqpkydvguqaamhqgaqokykrwdqhbyaqoaqbb4brwfl3ijmvmrixpfjeaf3okjlekfy2c4dqefy7mzbf4vc4c5sfewktdykrwflfojqx44tacunqaaiob4aqibiadmkv6q2di5ca2gaylbnv6wcblzavqvkfdfkfqwqzkvcrqvsaivcugvcylfbvmvcddbqqiy3odabx6x2pbydu4qcwdfpugws3cunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflk	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	65.9.86.73
	https://www.bing.com/ck/a?!&&p=1c2e03d92a757c8bJmltdHM9MTcyMDA1MTIwMCZpZ3VpZD0xN2U2ZWM4Ni1jZTFkLTY0ODgtMDE5Yy1mODM0Y2ZkZDY1ZDYmaW5zaWQ9NTMwOQ&ptn=3&ver=2&hsh=3&fclid=17e6ec86-ce1d-6488-019c-f834cfdd65d6&u=a1aHR0cHM6Ly93d3cuZGlyZWl0b2RlbGFzcG9yZWxhcy5jb20uYnIvbXlwYWdlL2xvZ2lu&#amVpc2ZlbGRlckBtZW5vbWluZWVjYXNpbm9yZXNvcnQuY29t	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	13.227.219.11
	https://mail.pfl.fyi/v1/messages/01907499-c522-7db0-8f73-8ecef125b6ef/click?link_id=01907499-c784-79b1-9586-0af27d2ecc90&signature=435c599a2ffdd44fb638aab33a856024482c0588	Get hash	malicious	Tycoon2FA	Browse	13.226.184.73

Process:	C:\Users\user\Desktop\Game Laucher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	641
Entropy (8bit):	5.255094057343913
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk70U2+Eb5iv:MLF2CpI3zffup29Iz52VM2+Z
MD5:	898DE7911DF98E1BCA0E8A9E4EF5AB04
SHA1:	9C9E968E380403E4F11EA34C3169C9CE1496F345
SHA-256:	C2FCB238F2C3F05B744A9E3287F474E493BF76AE73112FBDF79A296FE291891B
SHA-512:	E9ED6D76D1B594FB7C3B03FF7B940F87B81896AFC6F65ADC0229BFDF3B4372CCB42E2C16596B5588CC360469BB77AC669A58DAF6418683DE2903EDE5F19BD015
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\windows process.exe

Process:	C:\Users\user\Desktop\Game Laucher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1150464
Entropy (8bit):	7.989590055840964
Encrypted:	false
SSDEEP:	24576:ga81+sa79EYE7uS2KzKuHcJNc4R0eB+Kt3cNmLc9dJ:ga81+sqnQd2KzK0coTeBX3cQL2J
MD5:	B24F58BB4315DFA0C7EFE2CB18BED37D
SHA1:	E3E00C86534EA4095F45820FC5D9D59641832058
SHA-256:	A71B560AFB99073078FA82E00143A8DB8B93ED79E3DC228880F696C109BDDC89
SHA-512:	F8B97748D0E2B8BC044A89BB1E7C035C91E0FF3F4C8DE4D439248FC6566D0EF2A5BA3536CA54D2DF3F3BCD7BE7601C225EA51A8491E79E397D68D5BB8A091892
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.f.....................N......$>... ........@.. ........................7...........@................................. .)......@..DJ....................).................................................................................................. ...@..................@............`...........D..............@............ ... .......F..............@....rsrc....`...@...L...H..............@.............(.........................@....data. P.@....)..@...N..............@............................................./LG'..h.....w0........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\windows process.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\Game Laucher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe

Process:	C:\Users\user\AppData\Local\Temp\windows process.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1150464
Entropy (8bit):	7.989590055840964
Encrypted:	false
SSDEEP:	24576:ga81+sa79EYE7uS2KzKuHcJNc4R0eB+Kt3cNmLc9dJ:ga81+sqnQd2KzK0coTeBX3cQL2J
MD5:	B24F58BB4315DFA0C7EFE2CB18BED37D
SHA1:	E3E00C86534EA4095F45820FC5D9D59641832058
SHA-256:	A71B560AFB99073078FA82E00143A8DB8B93ED79E3DC228880F696C109BDDC89
SHA-512:	F8B97748D0E2B8BC044A89BB1E7C035C91E0FF3F4C8DE4D439248FC6566D0EF2A5BA3536CA54D2DF3F3BCD7BE7601C225EA51A8491E79E397D68D5BB8A091892
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.f.....................N......$>... ........@.. ........................7...........@................................. .)......@..DJ....................).................................................................................................. ...@..................@............`...........D..............@............ ... .......F..............@....rsrc....`...@...L...H..............@.............(.........................@....data. P.@....)..@...N..............@............................................./LG'..h.....w0........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0eb5dd3a6fc209e7aa02e6880775930.exe:Zone.Identifier

Process:	C:\Users\user\AppData\Local\Temp\windows process.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\autorun.inf

Process:	C:\Users\user\AppData\Local\Temp\windows process.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.461092201874919
Encrypted:	false
SSDEEP:	3:It1KV2BBK9XK96i0x:e1KIIKs
MD5:	F2C8846FA65E2CBFE8BF344B9C64F1E3
SHA1:	E36BFE32F0AEC7924D2AE308C78CE86E64A9D0A0
SHA-256:	0E3D1C4FD40DF226531C4EEA100220BE69A35DDCB7CFCA495F7ED495929E4DBB
SHA-512:	BCFD7AD4A11B2BFB00AF7FA22CA0A3130DAAF9F2E684C682333961492A1398CBAB35608D25D6FF23B32541FC1DDFEA4FB9FA6E6E9A06060067407314AA204760
Malicious:	true
Preview:	[autorun]..open=C:\windows process.exe..shellexecute=C:\..

C:\windows process.exe

Process:	C:\Users\user\AppData\Local\Temp\windows process.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1150464
Entropy (8bit):	7.989590055840964
Encrypted:	false
SSDEEP:	24576:ga81+sa79EYE7uS2KzKuHcJNc4R0eB+Kt3cNmLc9dJ:ga81+sqnQd2KzK0coTeBX3cQL2J
MD5:	B24F58BB4315DFA0C7EFE2CB18BED37D
SHA1:	E3E00C86534EA4095F45820FC5D9D59641832058
SHA-256:	A71B560AFB99073078FA82E00143A8DB8B93ED79E3DC228880F696C109BDDC89
SHA-512:	F8B97748D0E2B8BC044A89BB1E7C035C91E0FF3F4C8DE4D439248FC6566D0EF2A5BA3536CA54D2DF3F3BCD7BE7601C225EA51A8491E79E397D68D5BB8A091892
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.f.....................N......$>... ........@.. ........................7...........@................................. .)......@..DJ....................).................................................................................................. ...@..................@............`...........D..............@............ ... .......F..............@....rsrc....`...@...L...H..............@.............(.........................@....data. P.@....)..@...N..............@............................................./LG'..h.....w0........................................................................................................................................................................................................................................................................................................................................

C:\windows process.exe:Zone.Identifier

Process:	C:\Users\user\AppData\Local\Temp\windows process.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.989590055840964
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Game Laucher.exe
File size:	1'150'464 bytes
MD5:	b24f58bb4315dfa0c7efe2cb18bed37d
SHA1:	e3e00c86534ea4095f45820fc5d9d59641832058
SHA256:	a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89
SHA512:	f8b97748d0e2b8bc044a89bb1e7c035c91e0ff3f4c8de4d439248fc6566d0ef2a5ba3536ca54d2df3f3bcd7be7601c225ea51a8491e79e397d68d5bb8a091892
SSDEEP:	24576:ga81+sa79EYE7uS2KzKuHcJNc4R0eB+Kt3cNmLc9dJ:ga81+sqnQd2KzK0coTeBX3cQL2J
TLSH:	0E35331E73CB1851EC54B9BF9610BC78BD8FC6287DAE1E08AFD7558321404E25F80E9A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..f.....................N......$>... ........@.. ........................7...........@................................

File Icon


Icon Hash:	0f33f16cea4d6917

Static PE Info

General

Entrypoint:	0x403e24
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x668BEF48 [Mon Jul 8 13:53:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5467cba76f44a088d39f78c5e807b6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00401000h
call 00007FA4886DC976h
call far 5DE5h : 8B10C483h
jmp 00007FA488A5413Dh
lds ecx, edx
imul ebx, ebp, 7E2E3C9Bh
pop edx
pop ss

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29a020	0x210	.data P
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4a44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x29a000	0xc	.data P
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0xa000	0x4000	f9cecc5c1b2a1a69d41cbebb20328d11	False	0.98321533203125	data	7.953883778943793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xc000	0x6000	0x200	2c2c577491b1d8ff3874dde5a1f099ea	False	0.0625	data	0.3623175539007212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x12000	0x2000	0x200	bfa22a756f9ec241c5b50d744e000d8b	False	0.056640625	data	0.30140680731160896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14000	0x6000	0x4c00	9adc5c3a4d64f80db25f34ad2ddf570e	False	0.9642269736842105	data	7.885616164638959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1a000	0x280000	0x2ba00	bcbeb41f5da92d3b3ba1c39d94f12b24	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data P	0x29a000	0xe4000	0xe4000	38ea37a97940620192b3c79e57b26695	False	0.997179533305921	data	7.986419269749442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x140e8	0x475d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0008758005364278
RT_GROUP_ICON	0x18848	0x14	data	0.9
RT_MANIFEST	0x1885c	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators	0.5338809034907598

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/08/24-18:13:32.142062	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:15:49.953303	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49731	16943	192.168.2.6	18.156.13.209
07/08/24-18:13:26.281099	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:13:32.142062	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:13:32.552443	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:13:26.276084	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:15:49.953303	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49731	16943	192.168.2.6	18.156.13.209
07/08/24-18:15:51.939065	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49731	16943	192.168.2.6	18.156.13.209
07/08/24-18:13:32.552443	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:13:26.281099	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49717	16943	192.168.2.6	18.192.93.86
07/08/24-18:15:49.947605	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49731	16943	192.168.2.6	18.156.13.209
07/08/24-18:15:51.939065	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49731	16943	192.168.2.6	18.156.13.209

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 18:13:26.133502960 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:26.138665915 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:26.138751030 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:26.276083946 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:26.280916929 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:26.281099081 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:26.286154985 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:32.142061949 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:32.146970034 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:32.455060959 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:32.501008987 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:32.552443027 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:32.558012962 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:32.732079029 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:32.732336044 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:32.737212896 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:35.472769976 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:35.516582012 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:35.546808958 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:35.551842928 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:50.765440941 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:50.765952110 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:50.770767927 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:54.632209063 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:54.666264057 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:54.671606064 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:57.658540964 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:13:57.699090958 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:13:57.704221010 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:02.702924967 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:02.743608952 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:14:02.748678923 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:08.782021046 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:08.782320023 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:14:08.788913965 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:26.791515112 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:26.791692972 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:14:26.796799898 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:44.825001955 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:14:44.825357914 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:14:44.830495119 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:02.882661104 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:02.884843111 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:02.889997005 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:18.439989090 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:18.479739904 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:18.485356092 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:20.891350985 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:20.893440008 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:20.898462057 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:21.457317114 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:21.513179064 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:21.518201113 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:24.481426001 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:24.544212103 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:24.549083948 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:27.511253119 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:27.556701899 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:27.561953068 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:30.537621975 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:30.595518112 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:30.601322889 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:33.567269087 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:33.620892048 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:33.625911951 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:36.588613987 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:36.635577917 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:36.641448975 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:38.889575005 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:38.889795065 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:39.141957998 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:39.142009020 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:39.142683029 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:39.627569914 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:39.670746088 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:39.692205906 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:39.698250055 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:42.636113882 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:42.701000929 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:42.712647915 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:47.910871029 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:47.913347960 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:49.923856020 CEST	49717	16943	192.168.2.6	18.192.93.86
Jul 8, 2024 18:15:49.928883076 CEST	16943	49717	18.192.93.86	192.168.2.6
Jul 8, 2024 18:15:49.937984943 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:49.943368912 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:49.945307016 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:49.947604895 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:49.952650070 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:49.953303099 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:49.958645105 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:51.872101068 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:51.939064980 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:51.945029974 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:54.767394066 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:54.806215048 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:54.811647892 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:56.628695011 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:56.629098892 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:56.640582085 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:58.288058996 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:58.288794994 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:58.288917065 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:58.320530891 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:58.518594027 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:15:58.518656969 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:15:58.525681019 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:00.817461014 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:00.870003939 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:00.876492023 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:00.881706953 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:04.850775957 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:04.901065111 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:04.905962944 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:14.563033104 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:14.563244104 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:14.569116116 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:32.977298975 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:32.977569103 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:32.980880022 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:32.980959892 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:32.984558105 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:50.613889933 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:16:50.614052057 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:16:50.622395039 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:17:08.612670898 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:17:08.612869024 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:17:08.618752003 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:17:19.607773066 CEST	16943	49731	18.156.13.209	192.168.2.6
Jul 8, 2024 18:17:19.647943974 CEST	49731	16943	192.168.2.6	18.156.13.209
Jul 8, 2024 18:17:19.652987957 CEST	16943	49731	18.156.13.209	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 18:13:26.063364029 CEST	62654	53	192.168.2.6	1.1.1.1
Jul 8, 2024 18:13:26.076687098 CEST	53	62654	1.1.1.1	192.168.2.6
Jul 8, 2024 18:15:49.925180912 CEST	50217	53	192.168.2.6	1.1.1.1
Jul 8, 2024 18:15:49.936157942 CEST	53	50217	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 8, 2024 18:13:26.063364029 CEST	192.168.2.6	1.1.1.1	0xa020	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 8, 2024 18:15:49.925180912 CEST	192.168.2.6	1.1.1.1	0x8bb8	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 8, 2024 18:13:26.076687098 CEST	1.1.1.1	192.168.2.6	0xa020	No error (0)	2.tcp.eu.ngrok.io		18.192.93.86	A (IP address)	IN (0x0001)	false
Jul 8, 2024 18:15:49.936157942 CEST	1.1.1.1	192.168.2.6	0x8bb8	No error (0)	2.tcp.eu.ngrok.io		18.156.13.209	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:13:09
Start date:	08/07/2024
Path:	C:\Users\user\Desktop\Game Laucher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Game Laucher.exe"
Imagebase:	0x30000
File size:	1'150'464 bytes
MD5 hash:	B24F58BB4315DFA0C7EFE2CB18BED37D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.2264558666.0000000000032000.00000040.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:13:16
Start date:	08/07/2024
Path:	C:\Users\user\AppData\Local\Temp\windows process.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\windows process.exe"
Imagebase:	0x6e0000
File size:	1'150'464 bytes
MD5 hash:	B24F58BB4315DFA0C7EFE2CB18BED37D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4662154451.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	12:13:22
Start date:	08/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\windows process.exe" "windows process.exe" ENABLE
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	12:13:22
Start date:	08/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	12:13:23
Start date:	08/07/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM explorer.exe
Imagebase:	0xa10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	12:13:23
Start date:	08/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true