Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 5, 2025, 2:54 p.m.	Feb. 5, 2025, 2:56 p.m.

Size	27.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`eee37f6f66eafa13d9555dfc9ccb3805`
SHA256	`ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9`
CRC32	`A0A49D93`
ssdeep	`384:fL1M2XwBNOaLNOFE/Av2yeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaM4:Te220M0Wl7A/vMHTi9bD`
Yara	PE_Header_Zero - PE File Signature Win_Backdoor_njRAT_2_Zero - Win Backdoor njRAT Is_DotNET_EXE - (no description) IsPE32 - (no description)

winX32.exe "C:\Users\test22\AppData\Local\Temp\winX32.exe"
2544
- winX32.exe "C:\Users\test22\AppData\Roaming\winX32.exe"
  2756
- attrib.exe attrib +h +r +s "C:\Users\test22\AppData\Roaming\winX32.exe"
  2796
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
sosomyhestor.ddns.net	A 46.153.112.54	46.153.112.54

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.153.112.54	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 5, 2025, 2:55 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Feb. 5, 2025, 2:55 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 5, 2025, 2:54 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 2:54 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 5, 2025, 2:55 p.m.		1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

sosomyhestor.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:56 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:54 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 2:55 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

winX32.exe tried to sleep 187 seconds, actually delayed analysis time by 187 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\winX32.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\winX32.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\winX32.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Feb. 5, 2025, 2:55 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Feb. 5, 2025, 2:55 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Feb. 5, 2025, 2:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

attrib +h +r +s "C:\Users\test22\AppData\Roaming\winX32.exe"

Installs itself for autorun at Windows startup (50 out of 206 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\winX32.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.153.112.54:443

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.lWjm
MicroWorld-eScan	Generic.MSIL.Bladabindi.C7664687
CAT-QuickHeal	Trojan.GenericFC.S17873958
Skyhigh	BehavesLike.Win32.BackdoorNJRat.mm
ALYac	Generic.MSIL.Bladabindi.C7664687
Cylance	Unsafe
VIPRE	Generic.MSIL.Bladabindi.C7664687
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.MSIL.Bladabindi.C7664687
K7GW	Trojan ( 004915961 )
K7AntiVirus	Trojan ( 004915961 )
Arcabit	Generic.MSIL.Bladabindi.CD74F42F
VirIT	Backdoor.Win32.BladabindiNET.J
Symantec	Backdoor.Ratenjay
Elastic	Windows.Trojan.Njrat
ESET-NOD32	a variant of MSIL/Bladabindi.AS
APEX	Malicious
Avast	Win32:KeyloggerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:MSIL/AsyncRat.e955479e
NANO-Antivirus	Trojan.Win32.Bladabindi.kvmqvs
Rising	Backdoor.njRAT!1.D4D6 (CLASSIC)
Emsisoft	Generic.MSIL.Bladabindi.C7664687 (B)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	BackDoor.BladabindiNET.9
Zillya	Trojan.Bladabindi.Win32.23092
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!EEE37F6F66EA
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.bladabindi
Sophos	Mal/AsyncRat-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.eee37f6f66eafa13
Jiangmin	AdWare.Amonetize.ammc
Google	Detected
Avira	TR/Dropper.Gen7
Kingsoft	malware.kb.c.1000
Gridinsoft	Ransom.Win32.Bladabindi.sa
Microsoft	Backdoor:MSIL/AsyncRat!atmn
GData	MSIL.Trojan.Bladabindi.BW
Varist	W32/MSIL_Bladabindi.GD.gen!Eldorado
AhnLab-V3	Backdoor/Win32.Bladabindi.R137413
McAfee	BackDoor-NJRat!EEE37F6F66EA
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Autorave.Heur
Malwarebytes	Bladabindi.Backdoor.Bot.DDS
Ikarus	Trojan.MSIL.Agent
Panda	Trj/GdSda.A
Zoner	Trojan.Win32.118968

winX32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All