Windows Analysis Report
imX19sLDxY.exe

Overview

General Information

Sample name: imX19sLDxY.exe
renamed because original name is a hash value
Original sample name: 3bd5f723cd50d790a31f7a7854597438.exe
Analysis ID: 1519554
MD5: 3bd5f723cd50d790a31f7a7854597438
SHA1: c0223ba8beadb32eadb6778929c69e3ffb7173f8
SHA256: 1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d
Tags: exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file has nameless sections
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: imX19sLDxY.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Avira: detection malicious, Label: HEUR/AGEN.1307838
Source: C:\Users\user\AppData\Local\Temp\system.exe Avira: detection malicious, Label: HEUR/AGEN.1307838
Source: C:\Users\user\AppData\Local\Tempdll.exe Avira: detection malicious, Label: HEUR/AGEN.1307838
Found malware configuration
Source: 5.2.system.exe.40822e0.0.raw.unpack Malware Configuration Extractor: Njrat {"Campaign ID": "Pro-SYstem", "Version": "0.7d", "Install Name": "system.exe", "Install Dir": "TEMP", "Registry Value": "9e82a5ccaed752a57fda004b4018de61", "Host": "x555hd.ddns.net", "Port": "555", "Network Seprator": "|'|'|", "Install Flag": "False"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\system.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Tempdll.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: imX19sLDxY.exe ReversingLabs: Detection: 60%
Yara detected Njrat
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tempdll.exe PID: 3172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 1532, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\system.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Tempdll.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: imX19sLDxY.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: imX19sLDxY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\imX19sLDxY.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: imX19sLDxY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: E:\programming\dll\dll\obj\Debug\dll.pdb source: Tempdll.exe, 00000004.00000000.2166481060.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp, imX19sLDxY.exe, 9e82a5ccaed752a57fda004b4018de61.exe.5.dr, system.exe.4.dr
Source: Binary string: C:\Users\Bahi\AppData\Local\Temporary Projects\Waircut\obj\Debug\Waircut.pdb source: imX19sLDxY.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TempWaircut.exe, 00000003.00000002.2263280639.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:49715 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:58589 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:58589 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:58589 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:58589 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:58589 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:58591 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:58591 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:58591 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:58591 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:58590 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:58592 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:58592 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:58592 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:58592 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:58592 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:58591 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:58593 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:58593 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:58593 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:58593 -> 197.207.192.227:555
Source: Network traffic Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:58593 -> 197.207.192.227:555
Uses dynamic DNS services
Source: unknown DNS query: name: x555hd.ddns.net
Yara detected Generic Downloader
Source: Yara match File source: imX19sLDxY.exe, type: SAMPLE
Source: Yara match File source: 3.0.TempWaircut.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.imX19sLDxY.exe.ed213b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\TempWaircut.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 197.207.192.227:555
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ALGTEL-ASDZ ALGTEL-ASDZ
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: x555hd.ddns.net
Source: TempWaircut.exe, 00000003.00000002.2237502264.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TempWaircut.exe, 00000003.00000002.2237502264.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mediafire.com/api/1.4/upload/simple.php?filedrop_key=492214d7de748aafa049a2428a99157bbcd9
Source: TempWaircut.exe, 00000003.00000002.2237502264.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sourceforge.net/projects/waircut/files/
Source: TempWaircut.exe, 00000003.00000002.2237502264.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sourceforge.net/projects/waircutU

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, kl.cs .Net Code: VKCodeToUnicode

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tempdll.exe PID: 3172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 1532, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: Tempdll.exe.0.dr, Module1.cs Long String: Length: 32088
Source: system.exe.4.dr, Module1.cs Long String: Length: 32088
PE file has nameless sections
Source: TempWaircut.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\system.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05092C98 3_2_05092C98
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05090860 3_2_05090860
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05091880 3_2_05091880
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_050973F0 3_2_050973F0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_050942E3 3_2_050942E3
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05094577 3_2_05094577
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_050946D3 3_2_050946D3
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05090956 3_2_05090956
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05090968 3_2_05090968
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05094048 3_2_05094048
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05094042 3_2_05094042
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0509187A 3_2_0509187A
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05092B6D 3_2_05092B6D
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05094372 3_2_05094372
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05092BB9 3_2_05092BB9
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051A7A68 3_2_051A7A68
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051A44F4 3_2_051A44F4
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051A5C90 3_2_051A5C90
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051A7E91 3_2_051A7E91
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C58870 3_2_05C58870
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C55800 3_2_05C55800
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5E2E0 3_2_05C5E2E0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7ACEA8 3_2_0B7ACEA8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7AF5F8 3_2_0B7AF5F8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7A07F0 3_2_0B7A07F0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7A07E0 3_2_0B7A07E0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B0040 3_2_0B7B0040
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B0030 3_2_0B7B0030
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B5F78 3_2_0B7B5F78
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B5F70 3_2_0B7B5F70
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B3F10 3_2_0B7B3F10
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7B3F00 3_2_0B7B3F00
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D25F6B0 3_2_0D25F6B0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D256C70 3_2_0D256C70
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D256CC0 3_2_0D256CC0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D259581 3_2_0D259581
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D25F6A8 3_2_0D25F6A8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D2542CF 3_2_0D2542CF
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D2991B8 3_2_0D2991B8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D29D1BC 3_2_0D29D1BC
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D299B3C 3_2_0D299B3C
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D29D3D4 3_2_0D29D3D4
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D2981A8 3_2_0D2981A8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D29F1F0 3_2_0D29F1F0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D293B20 3_2_0D293B20
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D420040 3_2_0D420040
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D428D41 3_2_0D428D41
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D428D50 3_2_0D428D50
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D42AEB8 3_2_0D42AEB8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D42B3A0 3_2_0D42B3A0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E972748 3_2_0E972748
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E970040 3_2_0E970040
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E97CDA8 3_2_0E97CDA8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E97E8D0 3_2_0E97E8D0
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E97CD99 3_2_0E97CD99
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E971141 3_2_0E971141
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0ED83A7C 3_2_0ED83A7C
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0ED8EF28 3_2_0ED8EF28
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDC9FC4 3_2_0EDC9FC4
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDC0FB8 3_2_0EDC0FB8
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDC5788 3_2_0EDC5788
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDC44B4 3_2_0EDC44B4
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDC3360 3_2_0EDC3360
Source: C:\Users\user\AppData\Local\Tempdll.exe Code function: 4_2_00007FF848F61A4D 4_2_00007FF848F61A4D
Source: C:\Users\user\AppData\Local\Temp\system.exe Code function: 5_2_00007FF848F71A4D 5_2_00007FF848F71A4D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\TempWaircut.exe 600986E9892988BA772CE853C559FB7C28186E84422AF9AED53F2327F5FF45DE
Sample file is different than original file name gathered from version info
Source: imX19sLDxY.exe, 00000000.00000000.2132399521.0000000001D5A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWaircut.exe0 vs imX19sLDxY.exe
Source: imX19sLDxY.exe, 00000000.00000002.4600325439.0000000004301000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWaircut.exe0 vs imX19sLDxY.exe
Source: imX19sLDxY.exe, 00000000.00000002.4600325439.0000000004301000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs imX19sLDxY.exe
Source: imX19sLDxY.exe, 00000000.00000002.4600325439.0000000004301000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: U,\\StringFileInfo\\000004B0\\OriginalFilename vs imX19sLDxY.exe
Source: imX19sLDxY.exe Binary or memory string: OriginalFilenameWaircut.exe0 vs imX19sLDxY.exe
Source: imX19sLDxY.exe Binary or memory string: OriginalFilenamedll.exe( vs imX19sLDxY.exe
Uses 32bit PE files
Source: imX19sLDxY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@16/10@3/1
Source: C:\Users\user\AppData\Local\TempWaircut.exe File created: C:\Users\user\AppData\Local\Patcher Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\system.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\system.exe Mutant created: \Sessions\1\BaseNamedObjects\9e82a5ccaed752a57fda004b4018de61
Source: C:\Users\user\AppData\Local\Tempdll.exe File created: C:\Users\user\AppData\Local\Temp\system.exe Jump to behavior
Source: imX19sLDxY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: imX19sLDxY.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\imX19sLDxY.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: imX19sLDxY.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\imX19sLDxY.exe "C:\Users\user\Desktop\imX19sLDxY.exe"
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\TempWaircut.exe "C:\Users\user\AppData\Local\TempWaircut.exe"
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\Tempdll.exe "C:\Users\user\AppData\Local\Tempdll.exe"
Source: C:\Users\user\AppData\Local\Tempdll.exe Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe"
Source: C:\Users\user\AppData\Local\Temp\system.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\system.exe" "system.exe" ENABLE
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" ..
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\TempWaircut.exe "C:\Users\user\AppData\Local\TempWaircut.exe" Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\Tempdll.exe "C:\Users\user\AppData\Local\Tempdll.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\system.exe" "system.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TempWaircut.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\imX19sLDxY.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: imX19sLDxY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: imX19sLDxY.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: imX19sLDxY.exe Static file information: File size 15325696 > 1048576
Source: C:\Users\user\Desktop\imX19sLDxY.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: imX19sLDxY.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe84600
Source: imX19sLDxY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: imX19sLDxY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\programming\dll\dll\obj\Debug\dll.pdb source: Tempdll.exe, 00000004.00000000.2166481060.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp, imX19sLDxY.exe, 9e82a5ccaed752a57fda004b4018de61.exe.5.dr, system.exe.4.dr
Source: Binary string: C:\Users\Bahi\AppData\Local\Temporary Projects\Waircut\obj\Debug\Waircut.pdb source: imX19sLDxY.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TempWaircut.exe, 00000003.00000002.2263280639.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Tempdll.exe.0.dr, Module1.cs .Net Code: main System.AppDomain.Load(byte[])
Source: system.exe.4.dr, Module1.cs .Net Code: main System.AppDomain.Load(byte[])
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
PE file contains sections with non-standard names
Source: TempWaircut.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0509668D push ebp; retf 3_2_05096696
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05193B68 push ds; retn 0004h 3_2_05193BA2
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051943F7 pushfd ; retf 3_2_051943FB
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05190A68 push esi; iretd 3_2_05190A69
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_051A4248 push esp; iretd 3_2_051A4249
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C596C0 push cs; ret 3_2_05C596C2
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C596C3 push cs; ret 3_2_05C596CA
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C59669 push cs; ret 3_2_05C5966A
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5A1A9 push ss; ret 3_2_05C5A1AA
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5A1AB push ss; ret 3_2_05C5A1B2
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5C898 pushad ; ret 3_2_05C5C899
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5B3B7 push ds; ret 3_2_05C5B3BA
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C54340 pushad ; ret 3_2_05C54341
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C54343 push eax; ret 3_2_05C54349
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5B2C1 push ds; ret 3_2_05C5B2C2
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5A283 push ss; ret 3_2_05C5A28A
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5B270 push ds; ret 3_2_05C5B272
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5B273 push ds; ret 3_2_05C5B27A
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_05C5A27F push ss; ret 3_2_05C5A282
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7BE997 push eax; mov dword ptr [esp], ecx 3_2_0B7BE9AC
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B7BE8A1 push C00B790Eh; ret 3_2_0B7BE8AD
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B801F3C push ecx; retf 3_2_0B801F3D
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B8005EF push 8BFFFFE7h; iretd 3_2_0B8005FB
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0B80510D push cs; ret 3_2_0B805117
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0CDF36F8 push eax; mov dword ptr [esp], edx 3_2_0CDF370C
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0CDFE3D0 pushad ; retf 3_2_0CDFE431
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D291952 push eax; retf 3_2_0D2919E9
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0D4253D0 push esp; iretd 3_2_0D4253DD
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0E970CEC push 8B03B96Ch; iretd 3_2_0E970DE6
Source: C:\Users\user\AppData\Local\TempWaircut.exe Code function: 3_2_0EDCE45F push cs; iretd 3_2_0EDCE468
Source: TempWaircut.exe.0.dr Static PE information: section name: .data entropy: 7.810640091864748
Drops PE files
Source: C:\Users\user\Desktop\imX19sLDxY.exe File created: C:\Users\user\AppData\Local\TempWaircut.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Tempdll.exe File created: C:\Users\user\AppData\Local\Temp\system.exe Jump to dropped file
Source: C:\Users\user\Desktop\imX19sLDxY.exe File created: C:\Users\user\AppData\Local\Tempdll.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\system.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e82a5ccaed752a57fda004b4018de61 Jump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\system.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\system.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\system.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e82a5ccaed752a57fda004b4018de61.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e82a5ccaed752a57fda004b4018de61 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e82a5ccaed752a57fda004b4018de61 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e82a5ccaed752a57fda004b4018de61 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e82a5ccaed752a57fda004b4018de61 Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\imX19sLDxY.exe Memory allocated: 25D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Memory allocated: 4300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Memory allocated: 1C300000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 1180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 4B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 5310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 6310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 6440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 7440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Memory allocated: 9960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Memory allocated: 3340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Memory allocated: 3340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Memory allocated: 1B340000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 2400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 4070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 1C070000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 1DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 3D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 1BD00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 16F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 35A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 1B5A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 2110000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 3E00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\system.exe Memory allocated: 1BE00000 memory commit | memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\TempWaircut.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\system.exe Window / User API: threadDelayed 1710 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Window / User API: threadDelayed 3675 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Window / User API: threadDelayed 4001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Window / User API: foregroundWindowGot 1775 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\TempWaircut.exe TID: 3636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe TID: 1240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe TID: 5360 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 4724 Thread sleep count: 1710 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 4724 Thread sleep time: -1710000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 6472 Thread sleep count: 3675 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 4724 Thread sleep count: 4001 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 4724 Thread sleep time: -4001000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 1412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 7108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe TID: 1096 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\TempWaircut.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Thread delayed: delay time: 922337203685477
Source: Tempdll.exe, 00000004.00000002.2241223851.00000000014DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\1:^
Source: imX19sLDxY.exe, 00000000.00000002.4594172229.0000000002321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z9A_
Source: netsh.exe, 00000007.00000002.2319837895.0000028C28320000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAAN
Source: system.exe, 00000005.00000002.4594039990.00000000020DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/>v2D@
Source: TempWaircut.exe, 00000003.00000002.2236059921.0000000000F62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\system.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\system.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, kl.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, kl.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, OK.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\TempWaircut.exe "C:\Users\user\AppData\Local\TempWaircut.exe" Jump to behavior
Source: C:\Users\user\Desktop\imX19sLDxY.exe Process created: C:\Users\user\AppData\Local\Tempdll.exe "C:\Users\user\AppData\Local\Tempdll.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Tempdll.exe Process created: C:\Users\user\AppData\Local\Temp\system.exe "C:\Users\user\AppData\Local\Temp\system.exe" Jump to behavior
Source: system.exe, 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, system.exe, 00000005.00000002.4594039990.0000000002119000.00000004.00000020.00020000.00000000.sdmp, system.exe, 00000005.00000002.4594039990.00000000020DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: system.exe, 00000005.00000002.4594039990.00000000020DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager.net?
Source: system.exe, 00000005.00000002.4594039990.00000000020DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerFiles
Source: system.exe, 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Source: system.exe, 00000005.00000002.4594039990.0000000002119000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerY\SYSTEMl
Source: system.exe, 00000005.00000002.4594039990.0000000002119000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerOINT
Source: system.exe, 00000005.00000002.4594039990.00000000020DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager.net
Source: system.exe, 00000005.00000002.4594039990.0000000002119000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQl
Source: system.exe, 00000005.00000002.4594039990.0000000002119000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerYSTMol(
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\imX19sLDxY.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Users\user\AppData\Local\TempWaircut.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\system.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\TempWaircut.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Local\Temp\system.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\system.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\system.exe" "system.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\system.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\system.exe" "system.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tempdll.exe PID: 3172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 1532, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.1bc40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.system.exe.40dcdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Tempdll.exe.371cde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.system.exe.40822e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2282788158.000000001BC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2506154802.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2243309082.0000000003565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4598988067.0000000004082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tempdll.exe PID: 3172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: system.exe PID: 1532, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519554 Sample: imX19sLDxY.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 42 x555hd.ddns.net 2->42 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 15 other signatures 2->54 10 imX19sLDxY.exe 5 2->10         started        13 system.exe 3 2->13         started        15 system.exe 2 2->15         started        17 4 other processes 2->17 signatures3 52 Uses dynamic DNS services 42->52 process4 file5 36 C:\Users\user\AppData\Local\Tempdll.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\TempWaircut.exe, PE32 10->38 dropped 19 Tempdll.exe 1 7 10->19         started        23 TempWaircut.exe 8 10->23         started        process6 file7 34 C:\Users\user\AppData\Local\Temp\system.exe, PE32 19->34 dropped 56 Antivirus detection for dropped file 19->56 58 Multi AV Scanner detection for dropped file 19->58 60 Machine Learning detection for dropped file 19->60 25 system.exe 4 5 19->25         started        signatures8 process9 dnsIp10 44 x555hd.ddns.net 197.207.192.227, 49715, 555, 58589 ALGTEL-ASDZ Algeria 25->44 40 C:\...\9e82a5ccaed752a57fda004b4018de61.exe, PE32 25->40 dropped 62 Antivirus detection for dropped file 25->62 64 Multi AV Scanner detection for dropped file 25->64 66 Machine Learning detection for dropped file 25->66 68 5 other signatures 25->68 30 netsh.exe 2 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
197.207.192.227
 x555hd.ddns.net Algeria
36947 ALGTEL-ASDZ true

Contacted Domains

Name IP Active
x555hd.ddns.net 197.207.192.227 true