File name:

Nj-Builder.exe

Full analysis: https://app.any.run/tasks/8d59376f-bb64-4dd4-acdd-081b70102262
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 29, 2025, 22:49:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sinkhole
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

C636801035C0B11BCD1244132DE12A55

SHA1:

428C4D84482AF7D5822F46B6614791EA03AACD15

SHA256:

BCD8105EF53E923C9E55E15DD39B2DC022D8A120AF234BA634A77CF500DABFEB

SSDEEP:

49152:QuHhEqWiBSoOWHMfxrOVxRUAQnga5IqyMrpbDvAYLLeCz2PIfoOKyLP5HmiOBDN5:QuHhEqpBqCl6ga5pN/ALm2PIDK4PZmDg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Nj-Builder.exe (PID: 7432)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Nj-Builder.exe (PID: 7432)

    • Executable content was dropped or overwritten

      • Nj-Builder.exe (PID: 7432)

    • Executes application which crashes

      • Nj-Builder.exe (PID: 7432)

  • INFO

    • Reads the computer name

      • Nj-Builder.exe (PID: 7432)

    • Creates files or folders in the user directory

      • Nj-Builder.exe (PID: 7432)
      • WerFault.exe (PID: 7600)

    • Checks supported languages

      • Nj-Builder.exe (PID: 7432)

    • The sample compiled with english language support

      • Nj-Builder.exe (PID: 7432)

    • Checks proxy server information

      • Nj-Builder.exe (PID: 7432)
      • slui.exe (PID: 7876)

    • Reads the software policy settings

      • slui.exe (PID: 7876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:29 22:35:05+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 425472
InitializedDataSize: 231936
UninitializedDataSize: -
EntryPoint: 0x67200
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nj-builder.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7432"C:\Users\admin\Desktop\Nj-Builder.exe" C:\Users\admin\Desktop\Nj-Builder.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\nj-builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
7600C:\WINDOWS\system32\WerFault.exe -u -p 7432 -s 1128C:\Windows\System32\WerFault.exeNj-Builder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
7876C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 484
Read events
5 484
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Nj-Builder.exe_99a19de87bd78f4bba79ef99581fa61cc8cc92d_8c949426_9c573112-4253-4774-ad1e-804a2fa9fd36\Report.wer
MD5:
SHA256:
7432Nj-Builder.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:9A77572368D9DAC86D66D50D3B724465
SHA256:7AC43009601790F7A8041E3DE6B6B2256463752EDBF8890788D84FE6FDD56739
7600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD833.tmp.xmlxml
MD5:84A2CFAFDA06932EA4E70E39FB11D978
SHA256:833CDD2EB14CB7F26CEE113C5274D20426687C331BBED4C24EEFACE0E27553A2
7600WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Nj-Builder.exe.7432.dmpbinary
MD5:E629DBDF8A96B5072FA350218F4E95C2
SHA256:ECE9597841C9135B19C8084356C22F1A420104A9399D6B4C8C4AFD18134ADB0F
7432Nj-Builder.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:33344B713B9E59FA704D05682ADB3BEE
SHA256:B8329E19DB712D566447F8D330DC60FD1BE5959292AB8BAE8AFC8545ED0584E9
7600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD813.tmp.WERInternalMetadata.xmlbinary
MD5:D3B314653D1CA592FCA974B150C6ECED
SHA256:0518360D985D06187BF227396F1FD7D371636515CB56C12ADA74B65A152F9755
7432Nj-Builder.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:A21048F73433ECCCCC494AADF2D9DA4B
SHA256:3F3541133ED0BB39C2BD0E6CFB288637149C0A57D212E18D89A1031B343D423D
7432Nj-Builder.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:56EE5B68FAE6ABD154A0B980912077C4
SHA256:F2732B6796D2AC750F4E9BFE35B785C3DB9E7B9E7A9CA6B26641E78232751A64
7432Nj-Builder.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:57E3132E944035CA40C469672AE78D49
SHA256:87BC0591A45A2E2FA7E4F76EC12451D4FD14CFAB6AA9FB476288A3958049AB52
7600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD728.tmp.dmpbinary
MD5:39D0216FA90ED100C267389E4448FE79
SHA256:8CC2AF132EFF632ED8174D3371CA22218BC1E8376123E9E3286416620913E79A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7432
Nj-Builder.exe
POST
200
52.11.240.239:80
http://pywolwnvd.biz/unihrbwjybue
unknown
malicious
7432
Nj-Builder.exe
POST
200
13.213.51.196:80
http://ssbzmoy.biz/ffrdpoogofu
unknown
malicious
7432
Nj-Builder.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/eajlkgsaqywuwejk
unknown
malicious
7432
Nj-Builder.exe
POST
200
52.11.240.239:80
http://cvgrf.biz/ftfcdllniee
unknown
malicious
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7432
Nj-Builder.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
7432
Nj-Builder.exe
13.213.51.196:80
ssbzmoy.biz
AMAZON-02
SG
malicious
7432
Nj-Builder.exe
3.229.117.57:80
npukfztj.biz
AMAZON-AES
US
malicious
1348
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7876
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
ssbzmoy.biz
  • 13.213.51.196
malicious
cvgrf.biz
  • 52.11.240.239
malicious
npukfztj.biz
  • 3.229.117.57
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7432
Nj-Builder.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nj-Builder.exe