Windows Analysis Report
7UpMyeV5pj.exe

Overview

General Information

Sample name: 7UpMyeV5pj.exe
renamed because original name is a hash value
Original sample name: a458a33e5591c3fd7f7c8ae58d50ce55.exe
Analysis ID: 1510282
MD5: a458a33e5591c3fd7f7c8ae58d50ce55
SHA1: e9342f2bd7db767d12e0b5faa1f2918bdabafe77
SHA256: 95e922bc96ec909a9eb80ae3716af0038ee3de24fc22b569c527764bf3be27a1
Tags: exenjratRAT
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 7UpMyeV5pj.exe Avira: detected
Antivirus detection for dropped file
Source: C:\system.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Umbrella.flv.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Notepad.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack Malware Configuration Extractor: Njrat {"Campaign ID": "Victim", "Version": "0.7d", "Install Name": "c9ab3737857dedd15cd55323eac58732", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
Multi AV Scanner detection for dropped file
Source: C:\Notepad.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Umbrella.flv.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\Desktop\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\Documents\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\Favorites\Explower.exe ReversingLabs: Detection: 84%
Source: C:\Windows\SysWOW64\Explower.exe ReversingLabs: Detection: 84%
Source: C:\system.exe ReversingLabs: Detection: 84%
Multi AV Scanner detection for submitted file
Source: 7UpMyeV5pj.exe ReversingLabs: Detection: 84%
Yara detected Njrat
Source: Yara match File source: 7UpMyeV5pj.exe, type: SAMPLE
Source: Yara match File source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match File source: C:\Notepad.exe, type: DROPPED
Source: Yara match File source: C:\system.exe, type: DROPPED
Source: Yara match File source: C:\Umbrella.flv.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\system.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Umbrella.flv.exe Joe Sandbox ML: detected
Source: C:\Notepad.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7UpMyeV5pj.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 7UpMyeV5pj.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 7UpMyeV5pj.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading
barindex
Contains functionality to spread to USB devices (.Net source)
Source: 7UpMyeV5pj.exe, -.cs .Net Code: @
Source: Explower.exe.0.dr, -.cs .Net Code: @
Source: Explower.exe0.0.dr, -.cs .Net Code: @
Source: system.exe.0.dr, -.cs .Net Code: @
Source: Notepad.exe.0.dr, -.cs .Net Code: @
Source: Explower.exe1.0.dr, -.cs .Net Code: @
Source: Explower.exe2.0.dr, -.cs .Net Code: @
Source: Explower.exe3.0.dr, -.cs .Net Code: @
Source: Explower.exe4.0.dr, -.cs .Net Code: @
Creates autorun.inf (USB autostart)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\autorun.inf Jump to behavior
May infect USB drives
Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: \autorun.inf
Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \autorun.inf
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf$OZk
Source: 7UpMyeV5pj.exe Binary or memory string: \autorun.inf
Source: 7UpMyeV5pj.exe Binary or memory string: [autorun]
Source: 7UpMyeV5pj.exe Binary or memory string: autorun.inf
Source: system.exe.0.dr Binary or memory string: \autorun.inf
Source: system.exe.0.dr Binary or memory string: [autorun]
Source: system.exe.0.dr Binary or memory string: autorun.inf
Source: Explower.exe2.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe2.0.dr Binary or memory string: [autorun]
Source: Explower.exe2.0.dr Binary or memory string: autorun.inf
Source: Umbrella.flv.exe.0.dr Binary or memory string: \autorun.inf
Source: Umbrella.flv.exe.0.dr Binary or memory string: [autorun]
Source: Umbrella.flv.exe.0.dr Binary or memory string: autorun.inf
Source: Notepad.exe.0.dr Binary or memory string: \autorun.inf
Source: Notepad.exe.0.dr Binary or memory string: [autorun]
Source: Notepad.exe.0.dr Binary or memory string: autorun.inf
Source: Explower.exe8.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe8.0.dr Binary or memory string: [autorun]
Source: Explower.exe8.0.dr Binary or memory string: autorun.inf
Source: Explower.exe.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe.0.dr Binary or memory string: [autorun]
Source: Explower.exe.0.dr Binary or memory string: autorun.inf
Source: Explower.exe1.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe1.0.dr Binary or memory string: [autorun]
Source: Explower.exe1.0.dr Binary or memory string: autorun.inf
Source: Explower.exe4.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe4.0.dr Binary or memory string: [autorun]
Source: Explower.exe4.0.dr Binary or memory string: autorun.inf
Source: Explower.exe3.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe3.0.dr Binary or memory string: [autorun]
Source: Explower.exe3.0.dr Binary or memory string: autorun.inf
Source: Explower.exe7.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe7.0.dr Binary or memory string: [autorun]
Source: Explower.exe7.0.dr Binary or memory string: autorun.inf
Source: Explower.exe6.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe6.0.dr Binary or memory string: [autorun]
Source: Explower.exe6.0.dr Binary or memory string: autorun.inf
Source: Explower.exe0.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe0.0.dr Binary or memory string: [autorun]
Source: Explower.exe0.0.dr Binary or memory string: autorun.inf
Source: Explower.exe5.0.dr Binary or memory string: \autorun.inf
Source: Explower.exe5.0.dr Binary or memory string: [autorun]
Source: Explower.exe5.0.dr Binary or memory string: autorun.inf
Source: autorun.inf.0.dr Binary or memory string: [autorun]
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 3.124.142.205:11348
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49738 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49740 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49740 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49738 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 3.124.142.205:11348
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49739 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49739 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49738 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49739 -> 18.192.31.165:11348
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 3.124.142.205:11348
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49740 -> 18.192.31.165:11348
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 3.124.142.205:11348
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 18.192.31.165:11348
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.124.142.205 3.124.142.205
Source: Joe Sandbox View IP Address: 18.192.31.165 18.192.31.165
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 7UpMyeV5pj.exe, type: SAMPLE
Source: Yara match File source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match File source: C:\Notepad.exe, type: DROPPED
Source: Yara match File source: C:\system.exe, type: DROPPED
Source: Yara match File source: C:\Umbrella.flv.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Notepad.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Notepad.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Notepad.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Notepad.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Notepad.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\system.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\system.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\system.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\system.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\system.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\system.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_0125BEFE NtQuerySystemInformation, 0_2_0125BEFE
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_0125BECD NtQuerySystemInformation, 0_2_0125BECD
Creates files inside the system directory
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Windows\SysWOW64\Explower.exe:Zone.Identifier:$DATA Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_01507418 0_2_01507418
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_01504298 0_2_01504298
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_01504269 0_2_01504269
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_015073FE 0_2_015073FE
Sample file is different than original file name gathered from version info
Source: 7UpMyeV5pj.exe, 00000000.00000002.4137881403.000000000129E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs 7UpMyeV5pj.exe
Uses 32bit PE files
Source: 7UpMyeV5pj.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7UpMyeV5pj.exe, type: SAMPLE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Notepad.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Notepad.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Notepad.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Notepad.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Notepad.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\system.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\system.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\system.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\system.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\system.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\system.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: classification engine Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@5/30@4/2
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_0125BD82 AdjustTokenPrivileges, 0_2_0125BD82
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Code function: 0_2_0125BD4B AdjustTokenPrivileges, 0_2_0125BD4B
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Program Files (x86)\Explower.exe Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\app Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Mutant created: NULL
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Mutant created: \Sessions\1\BaseNamedObjects\c9ab3737857dedd15cd55323eac58732
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt Jump to behavior
Source: 7UpMyeV5pj.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7UpMyeV5pj.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7UpMyeV5pj.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File read: C:\Users\user\Desktop\7UpMyeV5pj.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7UpMyeV5pj.exe "C:\Users\user\Desktop\7UpMyeV5pj.exe"
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: 7UpMyeV5pj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 7UpMyeV5pj.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 7UpMyeV5pj.exe, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe0.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: system.exe.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Notepad.exe.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe1.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe2.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe3.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: Explower.exe4.0.dr, -.cs .Net Code: @ System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Code function: 3_2_05053140 push ebx; ret 3_2_05053154

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\Documents\Explower.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\system.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Notepad.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\Desktop\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Local\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Program Files (x86)\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Umbrella.flv.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\Documents\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\Favorites\Explower.exe Jump to dropped file
Drops PE files to the program root directory (C:\Program Files)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Program Files (x86)\Explower.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 14B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 31C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 51C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 6310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 7310000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: A620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: B620000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: B880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: C880000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: CD30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: DD30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: ED30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: FD30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 10D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 11D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 12D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 13D30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 14680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 15680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 16680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 17680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 18680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 19680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1A680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1B680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1C680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1D680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1E680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1F680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 20680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 21680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 22680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 23680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 24680000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: B920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 25920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 26920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 27920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 28920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 29920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2A920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2B920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2C920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2D920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2E920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 2F920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 30920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 31920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 32920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 33920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 34920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 35920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: BA20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: CA20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: DA20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: D160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: D2A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: EB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: FB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 10B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 11B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 12B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 13B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 14B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 15B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 16B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 17B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 18B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 19B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1AB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1BB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1CB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1DB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1EB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1FB20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 20B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 21B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 22B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 36920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 37920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 38920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 39920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3A920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3B920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3C920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3D920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3E920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 3F920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: FAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 10AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 11AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 12AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 13AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 14AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 15AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 16AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 17AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 18AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 19AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1AAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1BAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1CAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1DAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1EAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1FAA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 20AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 21AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 22AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: F6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 106E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 116E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 126E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 136E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 146E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 156E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 166E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 176E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 186E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 196E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1A6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1B6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1C6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1D6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1E6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 1F6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 206E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 216E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: 226E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Memory allocated: 11B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Memory allocated: 4E60000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Window / User API: threadDelayed 2945 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Window / User API: threadDelayed 1870 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Window / User API: foregroundWindowGot 453 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Window / User API: foregroundWindowGot 481 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 4856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 4856 Thread sleep count: 213 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020 Thread sleep count: 2945 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020 Thread sleep time: -1472500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 7144 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020 Thread sleep count: 1870 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020 Thread sleep time: -935000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 3496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138031209.000000000133C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWlicationName="
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138031209.000000000133C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000001.00000002.1729988687.00000000013DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Memory allocated: page read and write | page guard Jump to behavior
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:48 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:34 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:22 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 14:09:56 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:02 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 10:17:45 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/16 | 23:09:33 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:35 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 54:27 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:14:39 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 7 | 07:42:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/19 | 14:44:17 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:14 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:41 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/16 | 21:40:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:27 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:00 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/19 | 17:35:09 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:14 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:59 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:01 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:06 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:20 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 07:42:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/19 | 17:42:47 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 05:19:00 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:41 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:51 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:31 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 14:17:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:02 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:37 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 00:17:41 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:57 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:47 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:20 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 06:09:18 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:15:05 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:32 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:26 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:50 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/16 | 23:28:46 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:19:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:16 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:30 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:40 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:48 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 00:28:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:58 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:45 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 06:33:31 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138677784.000000000556B000.00000004.00000010.00020000.00000000.sdmp, 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, 7UpMyeV5pj.exe, 00000000.00000002.4138883948.000000000667D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:32 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:25 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:14:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/19 | 17:54:27 - Program Manager
Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr Binary or memory string: ProgMan
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 14:22:39 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:17 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:31 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:04 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:17 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:13:03 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:11 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:52 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138677784.000000000556B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: dProgram ManagerU
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 10:22:06 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/16 | 21:27:57 - Program Manager
Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:14:01 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:15:49 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:19 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 00:02:04 - Program Manager
Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr Binary or memory string: Shell_TrayWnd
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 09:52:02 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:34 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:14:31 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138883948.000000000667D000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000003.00000002.1850814531.0000000002E61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -ledProgram Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/17 | 02:09:47 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:14:16 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:17:10 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:59 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/14 | 17:58:49 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:49 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:15:28 - Program Manager
Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/09/12 | 13:12:03 - Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Contains functionality to disable the Task Manager (.Net Source)
Source: 7UpMyeV5pj.exe, -.cs .Net Code: @
Source: Explower.exe.0.dr, -.cs .Net Code: @
Source: Explower.exe0.0.dr, -.cs .Net Code: @
Source: system.exe.0.dr, -.cs .Net Code: @
Source: Notepad.exe.0.dr, -.cs .Net Code: @
Source: Explower.exe1.0.dr, -.cs .Net Code: @
Source: Explower.exe2.0.dr, -.cs .Net Code: @
Source: Explower.exe3.0.dr, -.cs .Net Code: @
Source: Explower.exe4.0.dr, -.cs .Net Code: @
Disables the Windows task manager (taskmgr)
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr Jump to behavior
Disables zone checking for all users
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\7UpMyeV5pj.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 7UpMyeV5pj.exe, type: SAMPLE
Source: Yara match File source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match File source: C:\Notepad.exe, type: DROPPED
Source: Yara match File source: C:\system.exe, type: DROPPED
Source: Yara match File source: C:\Umbrella.flv.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 7UpMyeV5pj.exe, type: SAMPLE
Source: Yara match File source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match File source: C:\Notepad.exe, type: DROPPED
Source: Yara match File source: C:\system.exe, type: DROPPED
Source: Yara match File source: C:\Umbrella.flv.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510282 Sample: 7UpMyeV5pj.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 27 0.tcp.eu.ngrok.io 2->27 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 11 other signatures 2->39 8 7UpMyeV5pj.exe 2 37 2->8         started        13 Explower.exe 3 2->13         started        signatures3 process4 dnsIp5 29 18.192.31.165, 11348, 49738, 49739 AMAZON-02US United States 8->29 31 0.tcp.eu.ngrok.io 3.124.142.205, 11348, 49730 AMAZON-02US United States 8->31 19 C:\system.exe, PE32 8->19 dropped 21 C:\Windows\SysWOW64xplower.exe, PE32 8->21 dropped 23 C:\Users\user\Favoritesxplower.exe, PE32 8->23 dropped 25 15 other malicious files 8->25 dropped 41 Drops PE files to the document folder of the user 8->41 43 Creates autorun.inf (USB autostart) 8->43 45 Disables zone checking for all users 8->45 47 4 other signatures 8->47 15 netsh.exe 2 8->15         started        file6 signatures7 process8 process9 17 conhost.exe 15->17         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.124.142.205
 0.tcp.eu.ngrok.io United States
16509 AMAZON-02US true
18.192.31.165
 unknown United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
0.tcp.eu.ngrok.io 3.124.142.205 true