Windows Analysis Report Server_v0.0.0.0.exe

AI detected suspicious sample

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Server_v0.0.0.0.exe

Joe Sandbox ML: detected

Suricata IDS alerts for network traffic

Source: Server_v0.0.0.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Server_v0.0.0.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49767 -> 45.88.88.7:6987

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 45.88.88.7:6987

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49746
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49892

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: govpet.mysynology.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Server_v0.0.0.0.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Protects its processes via BreakOnTermination flag

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Operating System Destruction

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process information set: 01 00 00 00

Malicious sample detected (through community Yara rule)

System Summary

Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02623E60 NtSetInformationProcess,	0_2_02623E60
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02623E59 NtSetInformationProcess,	0_2_02623E59
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A349A8 NtSetInformationProcess,	2_2_02A349A8
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A34A58 NtSetInformationProcess,	2_2_02A34A58
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A349A0 NtSetInformationProcess,	2_2_02A349A0
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E149B0 NtSetInformationProcess,	4_2_00E149B0
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E149A8 NtSetInformationProcess,	4_2_00E149A8

Detected potential crypto function

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02624D43	0_2_02624D43
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_0262F28C	0_2_0262F28C
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_0262DF60	0_2_0262DF60
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A34500	2_2_02A34500
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E14508	4_2_00E14508

Sample file is different than original file name gathered from version info

Source: Server_v0.0.0.0.exe, 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameServer.exe4 vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357475106.0000000000738000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000002.00000002.3357483376.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000004.00000002.3357493908.00000000005C8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000004.00000002.3360518334.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe	Binary or memory string: OriginalFilenameServer.exe4 vs Server_v0.0.0.0.exe

Source: Server_v0.0.0.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Mutant created: NULL

Source: Server_v0.0.0.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Server_v0.0.0.0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Server_v0.0.0.0.exe

ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains potential unpacker

Source: Server_v0.0.0.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Server_v0.0.0.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Server_v0.0.0.0.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server.exe			Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server.exe			Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 46F0000 memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 692	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3380	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 2490	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1762	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3385	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 2491	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 612	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1768	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3352	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3028	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1771	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4436	Thread sleep time: -69200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4436	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 7148	Thread sleep count: 3385 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep count: 2491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep time: -249100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep count: 612 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep time: -61200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4460	Thread sleep count: 3352 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6872	Thread sleep count: 3028 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6872	Thread sleep time: -302800s >= -30000s	Jump to behavior

Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000002.00000002.3357606562.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000004.00000002.3360518334.0000000000B88000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: Server_v0.0.0.0.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Server_v0.0.0.0.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Server_v0.0.0.0.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)

Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002A52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: Server_v0.0.0.0.exe, 00000004.00000002.3363283653.00000000026FD000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000004.00000002.3363283653.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000002.00000002.3363019172.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Server_v0.0.0.0.exe, 00000004.00000002.3360518334.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.88.88.7	govpet.mysynology.net	Bulgaria		10753	LVLT-10753US	true

Contacted Domains

Name	IP	Active
govpet.mysynology.net	45.88.88.7	true

AV Detection

Source: Server_v0.0.0.0.exe

Avira: detected

Found malware configuration

Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack

Multi AV Scanner detection for submitted file

Source: Server_v0.0.0.0.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Server_v0.0.0.0.exe

Joe Sandbox ML: detected

Suricata IDS alerts for network traffic

Source: Server_v0.0.0.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Server_v0.0.0.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49767 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49709 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49727 -> 45.88.88.7:6987
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.6:49767 -> 45.88.88.7:6987

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 45.88.88.7:6987

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49746
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49892

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: govpet.mysynology.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Server_v0.0.0.0.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Protects its processes via BreakOnTermination flag

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Operating System Destruction

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process information set: 01 00 00 00

Malicious sample detected (through community Yara rule)

System Summary

Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02623E60 NtSetInformationProcess,	0_2_02623E60
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02623E59 NtSetInformationProcess,	0_2_02623E59
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A349A8 NtSetInformationProcess,	2_2_02A349A8
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A34A58 NtSetInformationProcess,	2_2_02A34A58
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A349A0 NtSetInformationProcess,	2_2_02A349A0
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E149B0 NtSetInformationProcess,	4_2_00E149B0
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E149A8 NtSetInformationProcess,	4_2_00E149A8

Detected potential crypto function

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_02624D43	0_2_02624D43
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_0262F28C	0_2_0262F28C
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 0_2_0262DF60	0_2_0262DF60
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 2_2_02A34500	2_2_02A34500
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Code function: 4_2_00E14508	4_2_00E14508

Sample file is different than original file name gathered from version info

Source: Server_v0.0.0.0.exe, 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameServer.exe4 vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357475106.0000000000738000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000002.00000002.3357483376.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000004.00000002.3357493908.00000000005C8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe, 00000004.00000002.3360518334.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Server_v0.0.0.0.exe
Source: Server_v0.0.0.0.exe	Binary or memory string: OriginalFilenameServer.exe4 vs Server_v0.0.0.0.exe

Source: Server_v0.0.0.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Server_v0.0.0.0.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Mutant created: NULL

Source: Server_v0.0.0.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Server_v0.0.0.0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Server_v0.0.0.0.exe

ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Server_v0.0.0.0.exe "C:\Users\user\Desktop\Server_v0.0.0.0.exe"

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains potential unpacker

Source: Server_v0.0.0.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Server_v0.0.0.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Server_v0.0.0.0.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server.exe			Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server.exe			Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Memory allocated: 46F0000 memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 692	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3380	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 2490	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1762	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3385	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 2491	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 612	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1768	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3352	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: threadDelayed 3028	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Window / User API: foregroundWindowGot 1771	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4436	Thread sleep time: -69200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4436	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 7148	Thread sleep count: 3385 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep count: 2491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep time: -249100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep count: 612 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6256	Thread sleep time: -61200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 4460	Thread sleep count: 3352 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6872	Thread sleep count: 3028 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe TID: 6872	Thread sleep time: -302800s >= -30000s	Jump to behavior

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: Server_v0.0.0.0.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Server_v0.0.0.0.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Server_v0.0.0.0.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)

Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002A52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: Server_v0.0.0.0.exe, 00000000.00000002.3357842214.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: Server_v0.0.0.0.exe, 00000004.00000002.3363283653.00000000026FD000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000004.00000002.3363283653.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000000.00000002.3363596109.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, Server_v0.0.0.0.exe, 00000002.00000002.3363019172.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Server_v0.0.0.0.exe, 00000004.00000002.3360518334.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Users\user\Desktop\Server_v0.0.0.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Server_v0.0.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Server_v0.0.0.0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server_v0.0.0.0.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106558459.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server_v0.0.0.0.exe PID: 3884, type: MEMORYSTR

Remote Access Functionality