Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
pkFIMBYMWr.exe

Overview

General Information

Sample name:pkFIMBYMWr.exe
renamed because original name is a hash value
Original sample name:769cc0701ddb3b77485187f4cfb89f53.exe
Analysis ID:1635682
MD5:769cc0701ddb3b77485187f4cfb89f53
SHA1:3483f93d4ddba48dc3b2a57299bbf5dfed6c9a66
SHA256:1dc6f8dbbf2f2aa8359db7fdf4b71068a64faef5fc56d7452744ea3fde30a12a
Tags:exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables zone checking for all users
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • pkFIMBYMWr.exe (PID: 7824 cmdline: "C:\Users\user\Desktop\pkFIMBYMWr.exe" MD5: 769CC0701DDB3B77485187F4CFB89F53)
    • server.exe (PID: 8176 cmdline: "C:\Windows\server.exe" MD5: 769CC0701DDB3B77485187F4CFB89F53)
      • netsh.exe (PID: 2132 cmdline: netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 480 cmdline: netsh firewall delete allowedprogram "C:\Windows\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5720 cmdline: netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • krnl-fixer268.exe (PID: 6160 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe" MD5: 769CC0701DDB3B77485187F4CFB89F53)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Campaign ID": "krnl-fixer-268",
  "Version": "0.7d",
  "Install Name": "0db0e27f45963af1d9fd7ae9a9419dc1",
  "Install Dir": "system",
  "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "Network Seprator": "|'|'|"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
pkFIMBYMWr.exeJoeSecurity_NjratYara detected NjratJoe Security
    pkFIMBYMWr.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a4d:$a2: SEE_MASK_NOZONECHECKS
    • 0x156ef:$a3: Download ERROR
    • 0x15c9f:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c2c:$a5: netsh firewall delete allowedprogram "
    pkFIMBYMWr.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c9f:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137b8:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x1570d:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156ef:$s6: Download ERROR
    • 0x1377a:$s8: Select * From AntiVirusProduct
    pkFIMBYMWr.execrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
    • 0x15491:$: set cdaudio door closed
    • 0x15455:$: set cdaudio door open
    • 0x15cb5:$: ping 0
    • 0x13412:$: [endof]
    • 0x132cc:$: TiGeR-Firewall
    • 0x132fa:$: NetSnifferCs
    • 0x132b8:$: IPBlocker
    • 0x13314:$: Sandboxie Control
    pkFIMBYMWr.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a4d:$reg: SEE_MASK_NOZONECHECKS
    • 0x156d3:$msg: Execute ERROR
    • 0x15727:$msg: Execute ERROR
    • 0x15c9f:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\krnl-fixer268.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\krnl-fixer268.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a4d:$a2: SEE_MASK_NOZONECHECKS
      • 0x156ef:$a3: Download ERROR
      • 0x15c9f:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c2c:$a5: netsh firewall delete allowedprogram "
      C:\Program Files (x86)\krnl-fixer268.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c9f:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x137b8:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x1570d:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156ef:$s6: Download ERROR
      • 0x1377a:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\krnl-fixer268.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c9f:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x137b8:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x1570d:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156ef:$s6: Download ERROR
      • 0x1377a:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\krnl-fixer268.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c9f:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x137b8:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x1570d:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156ef:$s6: Download ERROR
      • 0x1377a:$s8: Select * From AntiVirusProduct
      Click to see the 61 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x115f2:$a1: get_Registry
        • 0x15a6d:$a2: SEE_MASK_NOZONECHECKS
        • 0x1570f:$a3: Download ERROR
        • 0x15cbf:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13c4c:$a5: netsh firewall delete allowedprogram "
        00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x15a6d:$reg: SEE_MASK_NOZONECHECKS
        • 0x156f3:$msg: Execute ERROR
        • 0x15747:$msg: Execute ERROR
        • 0x15cbf:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x113d2:$a1: get_Registry
          • 0x1584d:$a2: SEE_MASK_NOZONECHECKS
          • 0x154ef:$a3: Download ERROR
          • 0x15a9f:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13a2c:$a5: netsh firewall delete allowedprogram "
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.pkFIMBYMWr.exe.700000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.0.pkFIMBYMWr.exe.700000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115d2:$a1: get_Registry
            • 0x15a4d:$a2: SEE_MASK_NOZONECHECKS
            • 0x156ef:$a3: Download ERROR
            • 0x15c9f:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c2c:$a5: netsh firewall delete allowedprogram "
            0.0.pkFIMBYMWr.exe.700000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x15c9f:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x137b8:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x1570d:$s3: Executed As
            • 0x124f0:$s5: Stub.exe
            • 0x156ef:$s6: Download ERROR
            • 0x1377a:$s8: Select * From AntiVirusProduct
            0.0.pkFIMBYMWr.exe.700000.0.unpackcrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
            • 0x15491:$: set cdaudio door closed
            • 0x15455:$: set cdaudio door open
            • 0x15cb5:$: ping 0
            • 0x13412:$: [endof]
            • 0x132cc:$: TiGeR-Firewall
            • 0x132fa:$: NetSnifferCs
            • 0x132b8:$: IPBlocker
            • 0x13314:$: Sandboxie Control
            0.0.pkFIMBYMWr.exe.700000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a4d:$reg: SEE_MASK_NOZONECHECKS
            • 0x156d3:$msg: Execute ERROR
            • 0x15727:$msg: Execute ERROR
            • 0x15c9f:$ping: cmd.exe /c ping 0 -n 2 & del
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\server.exe, ProcessId: 8176, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T22:12:37.241181+010020211761Malware Command and Control Activity Detected192.168.2.4497263.67.15.16915408TCP
            2025-03-11T22:12:39.492735+010020211761Malware Command and Control Activity Detected192.168.2.4497283.67.15.16915408TCP
            2025-03-11T22:12:42.068817+010020211761Malware Command and Control Activity Detected192.168.2.4497293.67.15.16915408TCP
            2025-03-11T22:12:44.766529+010020211761Malware Command and Control Activity Detected192.168.2.4497313.67.15.16915408TCP
            2025-03-11T22:12:47.346311+010020211761Malware Command and Control Activity Detected192.168.2.4497323.67.15.16915408TCP
            2025-03-11T22:12:49.944665+010020211761Malware Command and Control Activity Detected192.168.2.4497333.67.15.16915408TCP
            2025-03-11T22:12:52.532541+010020211761Malware Command and Control Activity Detected192.168.2.4497353.67.15.16915408TCP
            2025-03-11T22:12:55.113465+010020211761Malware Command and Control Activity Detected192.168.2.4497363.67.15.16915408TCP
            2025-03-11T22:12:57.774873+010020211761Malware Command and Control Activity Detected192.168.2.4497373.67.15.16915408TCP
            2025-03-11T22:13:00.346176+010020211761Malware Command and Control Activity Detected192.168.2.4497383.67.15.16915408TCP
            2025-03-11T22:13:02.950533+010020211761Malware Command and Control Activity Detected192.168.2.4497393.67.15.16915408TCP
            2025-03-11T22:13:05.726508+010020211761Malware Command and Control Activity Detected192.168.2.4497403.67.15.16915408TCP
            2025-03-11T22:13:08.336351+010020211761Malware Command and Control Activity Detected192.168.2.4497413.67.15.16915408TCP
            2025-03-11T22:13:10.925278+010020211761Malware Command and Control Activity Detected192.168.2.4497423.67.15.16915408TCP
            2025-03-11T22:13:13.544698+010020211761Malware Command and Control Activity Detected192.168.2.4497433.67.15.16915408TCP
            2025-03-11T22:13:16.150890+010020211761Malware Command and Control Activity Detected192.168.2.4497443.67.15.16915408TCP
            2025-03-11T22:13:18.881889+010020211761Malware Command and Control Activity Detected192.168.2.4497453.67.15.16915408TCP
            2025-03-11T22:13:21.331321+010020211761Malware Command and Control Activity Detected192.168.2.4497463.67.15.16915408TCP
            2025-03-11T22:13:23.681578+010020211761Malware Command and Control Activity Detected192.168.2.4497483.67.15.16915408TCP
            2025-03-11T22:13:26.068195+010020211761Malware Command and Control Activity Detected192.168.2.4497493.67.15.16915408TCP
            2025-03-11T22:13:28.216458+010020211761Malware Command and Control Activity Detected192.168.2.4497503.67.15.16915408TCP
            2025-03-11T22:13:30.304462+010020211761Malware Command and Control Activity Detected192.168.2.4497513.67.15.16915408TCP
            2025-03-11T22:13:32.217567+010020211761Malware Command and Control Activity Detected192.168.2.4497523.67.15.16915408TCP
            2025-03-11T22:13:34.028917+010020211761Malware Command and Control Activity Detected192.168.2.4497533.67.15.16915408TCP
            2025-03-11T22:13:36.745552+010020211761Malware Command and Control Activity Detected192.168.2.4497543.67.15.16915408TCP
            2025-03-11T22:13:39.502585+010020211761Malware Command and Control Activity Detected192.168.2.4497553.67.15.16915408TCP
            2025-03-11T22:13:42.221169+010020211761Malware Command and Control Activity Detected192.168.2.4497563.67.15.16915408TCP
            2025-03-11T22:13:44.814720+010020211761Malware Command and Control Activity Detected192.168.2.4497573.67.15.16915408TCP
            2025-03-11T22:13:47.383667+010020211761Malware Command and Control Activity Detected192.168.2.4497583.67.15.16915408TCP
            2025-03-11T22:13:50.000424+010020211761Malware Command and Control Activity Detected192.168.2.4497593.67.15.16915408TCP
            2025-03-11T22:13:52.595955+010020211761Malware Command and Control Activity Detected192.168.2.4497603.67.15.16915408TCP
            2025-03-11T22:13:55.159262+010020211761Malware Command and Control Activity Detected192.168.2.4497613.67.15.16915408TCP
            2025-03-11T22:13:57.830323+010020211761Malware Command and Control Activity Detected192.168.2.4497623.67.15.16915408TCP
            2025-03-11T22:14:00.642413+010020211761Malware Command and Control Activity Detected192.168.2.4497633.67.15.16915408TCP
            2025-03-11T22:14:03.457497+010020211761Malware Command and Control Activity Detected192.168.2.4497643.67.15.16915408TCP
            2025-03-11T22:14:06.125665+010020211761Malware Command and Control Activity Detected192.168.2.4497653.67.15.16915408TCP
            2025-03-11T22:14:09.762628+010020211761Malware Command and Control Activity Detected192.168.2.4497663.67.15.16915408TCP
            2025-03-11T22:14:12.452093+010020211761Malware Command and Control Activity Detected192.168.2.4497673.67.15.16915408TCP
            2025-03-11T22:14:15.103461+010020211761Malware Command and Control Activity Detected192.168.2.4497683.67.15.16915408TCP
            2025-03-11T22:14:18.591925+010020211761Malware Command and Control Activity Detected192.168.2.4497693.67.15.16915408TCP
            2025-03-11T22:14:21.212318+010020211761Malware Command and Control Activity Detected192.168.2.4497703.67.15.16915408TCP
            2025-03-11T22:14:23.881920+010020211761Malware Command and Control Activity Detected192.168.2.4497713.67.15.16915408TCP
            2025-03-11T22:14:26.835180+010020211761Malware Command and Control Activity Detected192.168.2.4497723.67.15.16915408TCP
            2025-03-11T22:14:31.371483+010020211761Malware Command and Control Activity Detected192.168.2.4497733.67.15.16915408TCP
            2025-03-11T22:14:33.676398+010020211761Malware Command and Control Activity Detected192.168.2.4497743.67.15.16915408TCP
            2025-03-11T22:14:37.183178+010020211761Malware Command and Control Activity Detected192.168.2.4497753.125.188.16815408TCP
            2025-03-11T22:14:40.601098+010020211761Malware Command and Control Activity Detected192.168.2.4497763.125.188.16815408TCP
            2025-03-11T22:14:44.770637+010020211761Malware Command and Control Activity Detected192.168.2.4497773.125.188.16815408TCP
            2025-03-11T22:14:53.392647+010020211761Malware Command and Control Activity Detected192.168.2.4497783.125.188.16815408TCP
            2025-03-11T22:14:56.147054+010020211761Malware Command and Control Activity Detected192.168.2.4497793.125.188.16815408TCP
            2025-03-11T22:14:58.981079+010020211761Malware Command and Control Activity Detected192.168.2.4497803.125.188.16815408TCP
            2025-03-11T22:15:02.331049+010020211761Malware Command and Control Activity Detected192.168.2.4497813.125.188.16815408TCP
            2025-03-11T22:15:05.029814+010020211761Malware Command and Control Activity Detected192.168.2.4497823.125.188.16815408TCP
            2025-03-11T22:15:08.366304+010020211761Malware Command and Control Activity Detected192.168.2.4497833.125.188.16815408TCP
            2025-03-11T22:15:11.026844+010020211761Malware Command and Control Activity Detected192.168.2.4497843.125.188.16815408TCP
            2025-03-11T22:15:16.735726+010020211761Malware Command and Control Activity Detected192.168.2.4497853.125.188.16815408TCP
            2025-03-11T22:15:18.871089+010020211761Malware Command and Control Activity Detected192.168.2.4497863.125.188.16815408TCP
            2025-03-11T22:15:21.506700+010020211761Malware Command and Control Activity Detected192.168.2.4497873.125.188.16815408TCP
            2025-03-11T22:15:49.916215+010020211761Malware Command and Control Activity Detected192.168.2.4497883.125.188.16815408TCP
            2025-03-11T22:15:52.003121+010020211761Malware Command and Control Activity Detected192.168.2.4497893.125.188.16815408TCP
            2025-03-11T22:15:54.581613+010020211761Malware Command and Control Activity Detected192.168.2.4497903.125.188.16815408TCP
            2025-03-11T22:15:58.164615+010020211761Malware Command and Control Activity Detected192.168.2.4497913.125.188.16815408TCP
            2025-03-11T22:16:10.483002+010020211761Malware Command and Control Activity Detected192.168.2.4497923.125.188.16815408TCP
            2025-03-11T22:16:26.502895+010020211761Malware Command and Control Activity Detected192.168.2.4497933.125.188.16815408TCP
            2025-03-11T22:16:32.419279+010020211761Malware Command and Control Activity Detected192.168.2.4497943.125.188.16815408TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T22:12:37.241181+010020331321Malware Command and Control Activity Detected192.168.2.4497263.67.15.16915408TCP
            2025-03-11T22:12:39.492735+010020331321Malware Command and Control Activity Detected192.168.2.4497283.67.15.16915408TCP
            2025-03-11T22:12:42.068817+010020331321Malware Command and Control Activity Detected192.168.2.4497293.67.15.16915408TCP
            2025-03-11T22:12:44.766529+010020331321Malware Command and Control Activity Detected192.168.2.4497313.67.15.16915408TCP
            2025-03-11T22:12:47.346311+010020331321Malware Command and Control Activity Detected192.168.2.4497323.67.15.16915408TCP
            2025-03-11T22:12:49.944665+010020331321Malware Command and Control Activity Detected192.168.2.4497333.67.15.16915408TCP
            2025-03-11T22:12:52.532541+010020331321Malware Command and Control Activity Detected192.168.2.4497353.67.15.16915408TCP
            2025-03-11T22:12:55.113465+010020331321Malware Command and Control Activity Detected192.168.2.4497363.67.15.16915408TCP
            2025-03-11T22:12:57.774873+010020331321Malware Command and Control Activity Detected192.168.2.4497373.67.15.16915408TCP
            2025-03-11T22:13:00.346176+010020331321Malware Command and Control Activity Detected192.168.2.4497383.67.15.16915408TCP
            2025-03-11T22:13:02.950533+010020331321Malware Command and Control Activity Detected192.168.2.4497393.67.15.16915408TCP
            2025-03-11T22:13:05.726508+010020331321Malware Command and Control Activity Detected192.168.2.4497403.67.15.16915408TCP
            2025-03-11T22:13:08.336351+010020331321Malware Command and Control Activity Detected192.168.2.4497413.67.15.16915408TCP
            2025-03-11T22:13:10.925278+010020331321Malware Command and Control Activity Detected192.168.2.4497423.67.15.16915408TCP
            2025-03-11T22:13:13.544698+010020331321Malware Command and Control Activity Detected192.168.2.4497433.67.15.16915408TCP
            2025-03-11T22:13:16.150890+010020331321Malware Command and Control Activity Detected192.168.2.4497443.67.15.16915408TCP
            2025-03-11T22:13:18.881889+010020331321Malware Command and Control Activity Detected192.168.2.4497453.67.15.16915408TCP
            2025-03-11T22:13:21.331321+010020331321Malware Command and Control Activity Detected192.168.2.4497463.67.15.16915408TCP
            2025-03-11T22:13:23.681578+010020331321Malware Command and Control Activity Detected192.168.2.4497483.67.15.16915408TCP
            2025-03-11T22:13:26.068195+010020331321Malware Command and Control Activity Detected192.168.2.4497493.67.15.16915408TCP
            2025-03-11T22:13:28.216458+010020331321Malware Command and Control Activity Detected192.168.2.4497503.67.15.16915408TCP
            2025-03-11T22:13:30.304462+010020331321Malware Command and Control Activity Detected192.168.2.4497513.67.15.16915408TCP
            2025-03-11T22:13:32.217567+010020331321Malware Command and Control Activity Detected192.168.2.4497523.67.15.16915408TCP
            2025-03-11T22:13:34.028917+010020331321Malware Command and Control Activity Detected192.168.2.4497533.67.15.16915408TCP
            2025-03-11T22:13:36.745552+010020331321Malware Command and Control Activity Detected192.168.2.4497543.67.15.16915408TCP
            2025-03-11T22:13:39.502585+010020331321Malware Command and Control Activity Detected192.168.2.4497553.67.15.16915408TCP
            2025-03-11T22:13:42.221169+010020331321Malware Command and Control Activity Detected192.168.2.4497563.67.15.16915408TCP
            2025-03-11T22:13:44.814720+010020331321Malware Command and Control Activity Detected192.168.2.4497573.67.15.16915408TCP
            2025-03-11T22:13:47.383667+010020331321Malware Command and Control Activity Detected192.168.2.4497583.67.15.16915408TCP
            2025-03-11T22:13:50.000424+010020331321Malware Command and Control Activity Detected192.168.2.4497593.67.15.16915408TCP
            2025-03-11T22:13:52.595955+010020331321Malware Command and Control Activity Detected192.168.2.4497603.67.15.16915408TCP
            2025-03-11T22:13:55.159262+010020331321Malware Command and Control Activity Detected192.168.2.4497613.67.15.16915408TCP
            2025-03-11T22:13:57.830323+010020331321Malware Command and Control Activity Detected192.168.2.4497623.67.15.16915408TCP
            2025-03-11T22:14:00.642413+010020331321Malware Command and Control Activity Detected192.168.2.4497633.67.15.16915408TCP
            2025-03-11T22:14:03.457497+010020331321Malware Command and Control Activity Detected192.168.2.4497643.67.15.16915408TCP
            2025-03-11T22:14:06.125665+010020331321Malware Command and Control Activity Detected192.168.2.4497653.67.15.16915408TCP
            2025-03-11T22:14:09.762628+010020331321Malware Command and Control Activity Detected192.168.2.4497663.67.15.16915408TCP
            2025-03-11T22:14:12.452093+010020331321Malware Command and Control Activity Detected192.168.2.4497673.67.15.16915408TCP
            2025-03-11T22:14:15.103461+010020331321Malware Command and Control Activity Detected192.168.2.4497683.67.15.16915408TCP
            2025-03-11T22:14:18.591925+010020331321Malware Command and Control Activity Detected192.168.2.4497693.67.15.16915408TCP
            2025-03-11T22:14:21.212318+010020331321Malware Command and Control Activity Detected192.168.2.4497703.67.15.16915408TCP
            2025-03-11T22:14:23.881920+010020331321Malware Command and Control Activity Detected192.168.2.4497713.67.15.16915408TCP
            2025-03-11T22:14:26.835180+010020331321Malware Command and Control Activity Detected192.168.2.4497723.67.15.16915408TCP
            2025-03-11T22:14:31.371483+010020331321Malware Command and Control Activity Detected192.168.2.4497733.67.15.16915408TCP
            2025-03-11T22:14:33.676398+010020331321Malware Command and Control Activity Detected192.168.2.4497743.67.15.16915408TCP
            2025-03-11T22:14:37.183178+010020331321Malware Command and Control Activity Detected192.168.2.4497753.125.188.16815408TCP
            2025-03-11T22:14:40.601098+010020331321Malware Command and Control Activity Detected192.168.2.4497763.125.188.16815408TCP
            2025-03-11T22:14:44.770637+010020331321Malware Command and Control Activity Detected192.168.2.4497773.125.188.16815408TCP
            2025-03-11T22:14:53.392647+010020331321Malware Command and Control Activity Detected192.168.2.4497783.125.188.16815408TCP
            2025-03-11T22:14:56.147054+010020331321Malware Command and Control Activity Detected192.168.2.4497793.125.188.16815408TCP
            2025-03-11T22:14:58.981079+010020331321Malware Command and Control Activity Detected192.168.2.4497803.125.188.16815408TCP
            2025-03-11T22:15:02.331049+010020331321Malware Command and Control Activity Detected192.168.2.4497813.125.188.16815408TCP
            2025-03-11T22:15:05.029814+010020331321Malware Command and Control Activity Detected192.168.2.4497823.125.188.16815408TCP
            2025-03-11T22:15:08.366304+010020331321Malware Command and Control Activity Detected192.168.2.4497833.125.188.16815408TCP
            2025-03-11T22:15:11.026844+010020331321Malware Command and Control Activity Detected192.168.2.4497843.125.188.16815408TCP
            2025-03-11T22:15:16.735726+010020331321Malware Command and Control Activity Detected192.168.2.4497853.125.188.16815408TCP
            2025-03-11T22:15:18.871089+010020331321Malware Command and Control Activity Detected192.168.2.4497863.125.188.16815408TCP
            2025-03-11T22:15:21.506700+010020331321Malware Command and Control Activity Detected192.168.2.4497873.125.188.16815408TCP
            2025-03-11T22:15:49.916215+010020331321Malware Command and Control Activity Detected192.168.2.4497883.125.188.16815408TCP
            2025-03-11T22:15:52.003121+010020331321Malware Command and Control Activity Detected192.168.2.4497893.125.188.16815408TCP
            2025-03-11T22:15:54.581613+010020331321Malware Command and Control Activity Detected192.168.2.4497903.125.188.16815408TCP
            2025-03-11T22:15:58.164615+010020331321Malware Command and Control Activity Detected192.168.2.4497913.125.188.16815408TCP
            2025-03-11T22:16:10.483002+010020331321Malware Command and Control Activity Detected192.168.2.4497923.125.188.16815408TCP
            2025-03-11T22:16:26.502895+010020331321Malware Command and Control Activity Detected192.168.2.4497933.125.188.16815408TCP
            2025-03-11T22:16:32.419279+010020331321Malware Command and Control Activity Detected192.168.2.4497943.125.188.16815408TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T22:12:18.394523+010028032742Potentially Bad Traffic192.168.2.449719104.26.12.205443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T22:12:44.858941+010028255641Malware Command and Control Activity Detected192.168.2.4497313.67.15.16915408TCP
            2025-03-11T22:12:55.483631+010028255641Malware Command and Control Activity Detected192.168.2.4497363.67.15.16915408TCP
            2025-03-11T22:16:32.736959+010028255641Malware Command and Control Activity Detected192.168.2.4497943.125.188.16815408TCP

            Joe Sandbox Signatures

            • AV Detection
            • Compliance
            • Spreading
            • Networking
            • Key, Mouse, Clipboard, Microphone and Screen Capturing
            • E-Banking Fraud
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Boot Survival
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Lowering of HIPS / PFW / Operating System Security Settings
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: pkFIMBYMWr.exeAvira: detected
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Windows\server.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\krnl-fixer268.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "krnl-fixer-268", "Version": "0.7d", "Install Name": "0db0e27f45963af1d9fd7ae9a9419dc1", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Source: C:\Program Files (x86)\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Umbrella.flv.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Local\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Favorites\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Windows\SysWOW64\krnl-fixer268.exeReversingLabs: Detection: 86%
            Source: C:\Windows\server.exeReversingLabs: Detection: 86%
            Source: pkFIMBYMWr.exeVirustotal: Detection: 81%Perma Link
            Source: pkFIMBYMWr.exeReversingLabs: Detection: 86%
            Source: Yara matchFile source: pkFIMBYMWr.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pkFIMBYMWr.exe PID: 7824, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPED
            Source: Yara matchFile source: C:\Windows\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPED
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: pkFIMBYMWr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
            Source: pkFIMBYMWr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Source: pkFIMBYMWr.exe, Usb1.cs.Net Code: infect
            Source: server.exe.0.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe0.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe1.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe2.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe3.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe4.1.dr, Usb1.cs.Net Code: infect
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, Usb1.cs.Net Code: infect
            Source: Umbrella.flv.exe.1.dr, Usb1.cs.Net Code: infect
            Source: krnl-fixer268.exe5.1.dr, Usb1.cs.Net Code: infect
            Source: C:\Windows\server.exeFile created: C:\autorun.infJump to behavior
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: pkFIMBYMWr.exe, 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
            Source: pkFIMBYMWr.exe, 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
            Source: pkFIMBYMWr.exe, 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
            Source: pkFIMBYMWr.exeBinary or memory string: \autorun.inf
            Source: pkFIMBYMWr.exeBinary or memory string: [autorun]
            Source: pkFIMBYMWr.exeBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe3.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe3.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe3.1.drBinary or memory string: autorun.inf
            Source: autorun.inf.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe.1.drBinary or memory string: autorun.inf
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.drBinary or memory string: \autorun.inf
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.drBinary or memory string: [autorun]
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe0.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe0.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe0.1.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe6.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe6.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe6.1.drBinary or memory string: autorun.inf
            Source: Umbrella.flv.exe.1.drBinary or memory string: \autorun.inf
            Source: Umbrella.flv.exe.1.drBinary or memory string: [autorun]
            Source: Umbrella.flv.exe.1.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe4.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe4.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe4.1.drBinary or memory string: autorun.inf
            Source: server.exe.0.drBinary or memory string: \autorun.inf
            Source: server.exe.0.drBinary or memory string: [autorun]
            Source: server.exe.0.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe5.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe5.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe5.1.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe1.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe1.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe1.1.drBinary or memory string: autorun.inf
            Source: krnl-fixer268.exe2.1.drBinary or memory string: \autorun.inf
            Source: krnl-fixer268.exe2.1.drBinary or memory string: [autorun]
            Source: krnl-fixer268.exe2.1.drBinary or memory string: autorun.inf

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49726 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49729 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49726 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49729 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49733 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49733 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49732 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49739 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49739 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49732 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49740 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49745 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49745 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49748 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49748 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49735 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49735 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49740 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49757 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49752 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49738 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49738 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49756 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49756 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49751 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49751 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49761 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49761 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49742 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49757 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49752 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49742 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49731 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49731 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49762 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49762 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49728 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49731 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49760 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49760 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49744 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49744 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49763 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49763 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49758 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49758 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49746 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49750 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49755 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49737 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49728 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49750 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49764 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49737 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49759 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49759 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49746 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49736 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49755 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49736 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49741 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49741 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49736 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49754 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49754 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49753 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49753 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49764 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49765 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49765 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49766 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49766 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49767 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49767 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49769 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49769 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49772 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49772 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49775 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49775 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49743 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49777 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49776 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49777 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49776 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49780 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49768 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49743 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49780 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49779 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49768 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49779 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49782 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49786 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49782 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49787 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49785 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49785 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49789 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49789 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49778 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49786 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49784 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49749 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49784 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49787 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49749 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49788 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49788 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49774 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49793 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49792 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49793 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49792 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49778 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49774 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49790 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49790 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49794 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49794 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49781 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49794 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49781 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49770 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49791 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49791 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49783 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49783 -> 3.125.188.168:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49770 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49771 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49771 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49773 -> 3.67.15.169:15408
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49773 -> 3.67.15.169:15408
            Source: global trafficTCP traffic: 3.125.188.168 ports 0,1,15408,4,5,8
            Source: global trafficTCP traffic: 3.67.15.169 ports 0,1,15408,4,5,8
            Source: global trafficTCP traffic: 192.168.2.4:49726 -> 3.67.15.169:15408
            Source: global trafficTCP traffic: 192.168.2.4:49775 -> 3.125.188.168:15408
            Source: Joe Sandbox ViewIP Address: 3.125.188.168 3.125.188.168
            Source: Joe Sandbox ViewIP Address: 3.67.15.169 3.67.15.169
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49719 -> 104.26.12.205:443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: 7.tcp.eu.ngrok.io
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Windows\server.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeWindow created: window name: CLIPBRDWNDCLASS

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: pkFIMBYMWr.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pkFIMBYMWr.exe PID: 7824, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPED
            Source: Yara matchFile source: C:\Windows\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPED

            System Summary

            barindex
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Windows\server.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile created: C:\Windows\server.exeJump to behavior
            Source: C:\Windows\server.exeFile created: C:\Windows\SysWOW64\krnl-fixer268.exeJump to behavior
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4298
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED536F
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED50E3
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED49F9
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED44F1
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4544
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED505D
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED5459
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4B5B
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED47D4
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4F2F
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4936
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4630
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED470F
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4C8F
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED5000
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED499D
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4F9D
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeCode function: 0_2_04ED4291
            Source: pkFIMBYMWr.exe, 00000000.00000002.1323983132.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs pkFIMBYMWr.exe
            Source: pkFIMBYMWr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: pkFIMBYMWr.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Windows\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@15/19@4/2
            Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\krnl-fixer268.exeJump to behavior
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
            Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
            Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\0db0e27f45963af1d9fd7ae9a9419dc1
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: pkFIMBYMWr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: pkFIMBYMWr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: pkFIMBYMWr.exeVirustotal: Detection: 81%
            Source: pkFIMBYMWr.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile read: C:\Users\user\Desktop\pkFIMBYMWr.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\pkFIMBYMWr.exe "C:\Users\user\Desktop\pkFIMBYMWr.exe"
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess created: C:\Windows\server.exe "C:\Windows\server.exe"
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Windows\server.exe"
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe"
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess created: C:\Windows\server.exe "C:\Windows\server.exe"
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Windows\server.exe"
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: mscoree.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: profapi.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: edputil.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: shfolder.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: propsys.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: urlmon.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: iertutil.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: srvcli.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: netutils.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: appresolver.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: bcp47langs.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: slc.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: userenv.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: sppc.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\server.exeSection loaded: mscoree.dll
            Source: C:\Windows\server.exeSection loaded: apphelp.dll
            Source: C:\Windows\server.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\server.exeSection loaded: version.dll
            Source: C:\Windows\server.exeSection loaded: windows.storage.dll
            Source: C:\Windows\server.exeSection loaded: wldp.dll
            Source: C:\Windows\server.exeSection loaded: profapi.dll
            Source: C:\Windows\server.exeSection loaded: uxtheme.dll
            Source: C:\Windows\server.exeSection loaded: edputil.dll
            Source: C:\Windows\server.exeSection loaded: shfolder.dll
            Source: C:\Windows\server.exeSection loaded: ntmarta.dll
            Source: C:\Windows\server.exeSection loaded: cryptsp.dll
            Source: C:\Windows\server.exeSection loaded: rsaenh.dll
            Source: C:\Windows\server.exeSection loaded: cryptbase.dll
            Source: C:\Windows\server.exeSection loaded: mswsock.dll
            Source: C:\Windows\server.exeSection loaded: dnsapi.dll
            Source: C:\Windows\server.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\server.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\server.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\server.exeSection loaded: sspicli.dll
            Source: C:\Windows\server.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\server.exeSection loaded: amsi.dll
            Source: C:\Windows\server.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: acgenral.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: samcli.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: msacm32.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: mpr.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: winmmbase.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: winmmbase.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: aclayers.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: sfc.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeSection loaded: shfolder.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeSection loaded: shfolder.dll
            Source: C:\Windows\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: pkFIMBYMWr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
            Source: pkFIMBYMWr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: pkFIMBYMWr.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: server.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe0.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe1.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe2.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe3.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe4.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Umbrella.flv.exe.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: krnl-fixer268.exe5.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

            Persistence and Installation Behavior

            barindex
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeExecutable created and started: C:\Windows\server.exe
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\Favorites\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Umbrella.flv.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Windows\SysWOW64\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Local\krnl-fixer268.exeJump to dropped file
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile created: C:\Windows\server.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Windows\SysWOW64\krnl-fixer268.exeJump to dropped file
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeFile created: C:\Windows\server.exeJump to dropped file

            Boot Survival

            barindex
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeJump to dropped file
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeJump to behavior
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeJump to behavior
            Source: C:\Windows\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeJump to behavior
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\server.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeMemory allocated: 10C0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeMemory allocated: 2D50000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeMemory allocated: 10C0000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 11D0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2F10000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 4F10000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 6340000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 7340000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 7780000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 8780000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 89F0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 99F0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: ABF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: BBF0000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: C0C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: D0C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: E0C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: F0C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 7780000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 100C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 110C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: ABF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 110C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 120C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 130C0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 140C0000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: BBF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 14A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 15A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 16A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 17A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 18A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 19A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1AA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1BA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1CA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1DA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: B630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: C630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: D630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: E630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: F630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 10630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 11630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 12630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1DA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1EA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1FA60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 20A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 21A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 22A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 23A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 24A60000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 25A60000 memory commit | memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 26D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 27D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 28D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 29D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2AD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2BD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2CD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2DD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2ED90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2FD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 30D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 31D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 13770000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 13630000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: BEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: CEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: DEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: EEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: FEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 10EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 11EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 12EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 13EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 14EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 15EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 16EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 17EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 18EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 19EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1AEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1BEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1CEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1DEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1EEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1FEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 20EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 21EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 22EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 23EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 2DD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: CEF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: E170000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 13EF0000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 10030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 11030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: C170000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 12030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 13030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 14030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 15030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 16030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 17030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 18030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 19030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1A030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1B030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1C030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1D030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1E030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 1F030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 20030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 21030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 22030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 23030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 24030000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 32D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 33D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 34D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 35D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 36D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 37D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 38D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 39D90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 3AD90000 memory reserve | memory write watch
            Source: C:\Windows\server.exeMemory allocated: 3BD90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeMemory allocated: CB0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeMemory allocated: 2AF0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeMemory allocated: 25D0000 memory commit | memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeMemory allocated: 1370000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeMemory allocated: 3000000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeMemory allocated: 1370000 memory commit | memory reserve | memory write watch
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\server.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\server.exeWindow / User API: threadDelayed 2437
            Source: C:\Windows\server.exeWindow / User API: threadDelayed 1916
            Source: C:\Windows\server.exeWindow / User API: foregroundWindowGot 452
            Source: C:\Windows\server.exeWindow / User API: foregroundWindowGot 452
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exe TID: 7860Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\server.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\server.exe TID: 4128Thread sleep time: -1218500s >= -30000s
            Source: C:\Windows\server.exe TID: 4128Thread sleep time: -958000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe TID: 3788Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe TID: 6148Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\server.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exeThread delayed: delay time: 922337203685477
            Source: pkFIMBYMWr.exe, 00000000.00000002.1323983132.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: netsh.exe, 00000002.00000003.1352392542.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
            Source: netsh.exe, 00000004.00000003.1383206049.0000000003032000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.1438574075.00000000032D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\server.exeProcess information queried: ProcessInformation
            Source: C:\Windows\server.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\pkFIMBYMWr.exeProcess created: C:\Windows\server.exe "C:\Windows\server.exe"
            Source: pkFIMBYMWr.exe, krnl-fixer268.exe3.1.dr, krnl-fixer268.exe.1.dr, 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, krnl-fixer268.exe0.1.dr, krnl-fixer268.exe6.1.dr, Umbrella.flv.exe.1.dr, krnl-fixer268.exe4.1.dr, server.exe.0.dr, krnl-fixer268.exe5.1.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325744765.00000000050BB000.00000004.00000010.00020000.00000000.sdmp, krnl-fixer268.exe, 0000000D.00000002.1586890487.000000000547B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, pkFIMBYMWr.exe, 00000000.00000002.1325744765.00000000050BB000.00000004.00000010.00020000.00000000.sdmp, pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: pkFIMBYMWr.exe, krnl-fixer268.exe3.1.dr, krnl-fixer268.exe.1.dr, 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, krnl-fixer268.exe0.1.dr, krnl-fixer268.exe6.1.dr, Umbrella.flv.exe.1.dr, krnl-fixer268.exe4.1.dr, server.exe.0.dr, krnl-fixer268.exe5.1.drBinary or memory string: Shell_TrayWnd
            Source: pkFIMBYMWr.exe, krnl-fixer268.exe3.1.dr, krnl-fixer268.exe.1.dr, 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, krnl-fixer268.exe0.1.dr, krnl-fixer268.exe6.1.dr, Umbrella.flv.exe.1.dr, krnl-fixer268.exe4.1.dr, server.exe.0.dr, krnl-fixer268.exe5.1.drBinary or memory string: ProgMan
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/11 | 17:12:27 - Program Manager
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHE
            Source: pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, pkFIMBYMWr.exe, 00000000.00000002.1325022149.0000000002D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -\ledProgram Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: pkFIMBYMWr.exe, Fransesco.cs.Net Code: INS
            Source: server.exe.0.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe0.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe1.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe2.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe3.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe4.1.dr, Fransesco.cs.Net Code: INS
            Source: 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.1.dr, Fransesco.cs.Net Code: INS
            Source: Umbrella.flv.exe.1.dr, Fransesco.cs.Net Code: INS
            Source: krnl-fixer268.exe5.1.dr, Fransesco.cs.Net Code: INS
            Source: C:\Windows\server.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            Source: C:\Windows\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: pkFIMBYMWr.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pkFIMBYMWr.exe PID: 7824, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPED
            Source: Yara matchFile source: C:\Windows\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: pkFIMBYMWr.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.pkFIMBYMWr.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pkFIMBYMWr.exe PID: 7824, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\krnl-fixer268.exe, type: DROPPED
            Source: Yara matchFile source: C:\Windows\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure21
            Replication Through Removable Media            		Windows Management Instrumentation12
            Registry Run Keys / Startup Folder            		12
            Process Injection            		132
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		12
            Registry Run Keys / Startup Folder            		41
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635682 Sample: pkFIMBYMWr.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 48 7.tcp.eu.ngrok.io 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 10 other signatures 2->60 9 pkFIMBYMWr.exe 7 2->9         started        13 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe 3 2->13         started        15 krnl-fixer268.exe 3 2->15         started        17 0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe 2->17         started        signatures3 process4 file5 44 C:\Windows\server.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\pkFIMBYMWr.exe.log, ASCII 9->46 dropped 70 Drops executables to the windows directory (C:\Windows) and starts them 9->70 19 server.exe 1 17 9->19         started        signatures6 process7 dnsIp8 50 3.125.188.168, 15408, 49775, 49776 AMAZON-02US United States 19->50 52 7.tcp.eu.ngrok.io 3.67.15.169, 15408, 49726, 49728 AMAZON-02US United States 19->52 36 C:\Windows\SysWOW64\krnl-fixer268.exe, PE32 19->36 dropped 38 C:\Users\user\Favorites\krnl-fixer268.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\...\krnl-fixer268.exe, PE32 19->40 dropped 42 8 other malicious files 19->42 dropped 62 Antivirus detection for dropped file 19->62 64 Multi AV Scanner detection for dropped file 19->64 66 Creates autorun.inf (USB autostart) 19->66 68 4 other signatures 19->68 24 netsh.exe 2 19->24         started        26 netsh.exe 2 19->26         started        28 netsh.exe 2 19->28         started        file9 signatures10 process11 process12 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            pkFIMBYMWr.exe82%VirustotalBrowse
            pkFIMBYMWr.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            pkFIMBYMWr.exe100%AviraTR/Dropper.Gen

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Umbrella.flv.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Windows\server.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Umbrella.flv.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Local\Microsoft\Windows\History\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Local\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\Favorites\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Windows\SysWOW64\krnl-fixer268.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Windows\server.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            7.tcp.eu.ngrok.io
            		3.67.15.169
            		truetrue
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              3.125.188.168
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.67.15.169
              		7.tcp.eu.ngrok.ioUnited States
              		16509AMAZON-02UStrue

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1635682
              Start date and time:2025-03-11 22:11:15 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 9m 8s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:pkFIMBYMWr.exe
              renamed because original name is a hash value
              Original Sample Name:769cc0701ddb3b77485187f4cfb89f53.exe
              Detection:MAL
              Classification:mal100.spre.phis.troj.adwa.evad.winEXE@15/19@4/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 95%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 2.16.185.191, 4.175.87.197
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:13:11API Interceptor88688x Sleep call for process: server.exe modified
              21:12:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe
              21:12:44AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: JPCERT/CC Incident Response Group
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\krnl-fixer268.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 87%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Umbrella.flv.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Umbrella.flv.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 87%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.259753436570609
              Encrypted:false
              SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
              MD5:260E01CC001F9C4643CA7A62F395D747
              SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
              SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
              SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\krnl-fixer268.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.259753436570609
              Encrypted:false
              SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
              MD5:260E01CC001F9C4643CA7A62F395D747
              SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
              SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
              SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
              Malicious:false
              Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\pkFIMBYMWr.exe.log

              Download File
              Process:C:\Users\user\Desktop\pkFIMBYMWr.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.259753436570609
              Encrypted:false
              SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
              MD5:260E01CC001F9C4643CA7A62F395D747
              SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
              SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
              SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
              Malicious:true
              Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\Windows\History\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: JPCERT/CC Incident Response Group
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Roaming\app

              Download File
              Process:C:\Users\user\Desktop\pkFIMBYMWr.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
              Category:dropped
              Size (bytes):5
              Entropy (8bit):1.9219280948873623
              Encrypted:false
              SSDEEP:3:yn:yn
              MD5:24E9E7D7EEA4DE90C8FC67AE1145ABF2
              SHA1:DD9BB46CCC6340CA892CF17EBE32B9BDBADEE2D1
              SHA-256:BD6C1D15579254E8879ADA07376F93CB2E959F45670374892FDE2EFAF4194F6C
              SHA-512:5572AFD61C7BA666515A987F23AD0A05AB753BDC28CFA492ADB30200207427A4A38699D3B7981E0750414775A4CE72A209511951D38A8673C709B08774FCA01F
              Malicious:false
              Preview:.11

              C:\Users\user\Favorites\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Windows\SysWOW64\krnl-fixer268.exe

              Download File
              Process:C:\Windows\server.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Windows\server.exe

              Download File
              Process:C:\Users\user\Desktop\pkFIMBYMWr.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.564743931313968
              Encrypted:false
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              MD5:769CC0701DDB3B77485187F4CFB89F53
              SHA1:3483F93D4DDBA48DC3B2A57299BBF5DFED6C9A66
              SHA-256:1DC6F8DBBF2F2AA8359DB7FDF4B71068A64FAEF5FC56D7452744EA3FDE30A12A
              SHA-512:453C4E89B5956348F9E768BCBC971AC548CEE43033F3AB741EA0AE7B4B64C8EDDD6F755183C6CD0B20D822201C0DF328806E97606037AAC6E70074548D06218F
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\server.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\server.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 87%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\autorun.inf

              Download File
              Process:C:\Windows\server.exe
              File Type:Microsoft Windows Autorun file
              Category:dropped
              Size (bytes):55
              Entropy (8bit):4.474554204780528
              Encrypted:false
              SSDEEP:3:It1KV2PHQCyK0x:e1KAwCyD
              MD5:40B1630BE21F39CB17BD1963CAE5A207
              SHA1:63C14BD151D42820DD45C033363FA5B9E1D34124
              SHA-256:F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
              SHA-512:833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
              Malicious:true
              Preview:[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

              \Device\ConDrv

              Download File
              Process:C:\Windows\SysWOW64\netsh.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):313
              Entropy (8bit):4.971939296804078
              Encrypted:false
              SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
              MD5:689E2126A85BF55121488295EE068FA1
              SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
              SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
              SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
              Malicious:false
              Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.564743931313968
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:pkFIMBYMWr.exe
              File size:95'232 bytes
              MD5:769cc0701ddb3b77485187f4cfb89f53
              SHA1:3483f93d4ddba48dc3b2a57299bbf5dfed6c9a66
              SHA256:1dc6f8dbbf2f2aa8359db7fdf4b71068a64faef5fc56d7452744ea3fde30a12a
              SHA512:453c4e89b5956348f9e768bcbc971ac548cee43033f3ab741ea0ae7b4b64c8eddd6f755183c6cd0b20d822201c0df328806e97606037aac6e70074548d06218f
              SSDEEP:768:wY3IGLyZnDQMMpAZrGSt6udttXyoslhkGJiXxrjEtCdnl2pi1Rz4Rk3tsGdplgS7:wGuZD3rGWNd7yhkhjEwzGi1dDdDlgS
              TLSH:4293E84977E96524E0BF56F75471F2004E35B48B1602E39E58F218AA0B33AC44F99FEB
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..b.................p............... ........@.. ....................................@................................

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x418f1e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x6286863B [Thu May 19 18:02:35 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x18ecc0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x16f240x1700004a6d895710f7d584eeb20323c0daa07False0.3685355808423913data5.596409957679938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .reloc0x1a0000xc0x2009dc49a004fa3bd643fadc899ad4fdf5dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2025-03-11T22:12:18.394523+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449719104.26.12.205443TCP
              2025-03-11T22:12:37.241181+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497263.67.15.16915408TCP
              2025-03-11T22:12:37.241181+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497263.67.15.16915408TCP
              2025-03-11T22:12:39.492735+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497283.67.15.16915408TCP
              2025-03-11T22:12:39.492735+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497283.67.15.16915408TCP
              2025-03-11T22:12:42.068817+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497293.67.15.16915408TCP
              2025-03-11T22:12:42.068817+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497293.67.15.16915408TCP
              2025-03-11T22:12:44.766529+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497313.67.15.16915408TCP
              2025-03-11T22:12:44.766529+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497313.67.15.16915408TCP
              2025-03-11T22:12:44.858941+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4497313.67.15.16915408TCP
              2025-03-11T22:12:47.346311+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497323.67.15.16915408TCP
              2025-03-11T22:12:47.346311+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497323.67.15.16915408TCP
              2025-03-11T22:12:49.944665+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497333.67.15.16915408TCP
              2025-03-11T22:12:49.944665+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497333.67.15.16915408TCP
              2025-03-11T22:12:52.532541+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497353.67.15.16915408TCP
              2025-03-11T22:12:52.532541+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497353.67.15.16915408TCP
              2025-03-11T22:12:55.113465+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497363.67.15.16915408TCP
              2025-03-11T22:12:55.113465+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497363.67.15.16915408TCP
              2025-03-11T22:12:55.483631+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4497363.67.15.16915408TCP
              2025-03-11T22:12:57.774873+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497373.67.15.16915408TCP
              2025-03-11T22:12:57.774873+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497373.67.15.16915408TCP
              2025-03-11T22:13:00.346176+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497383.67.15.16915408TCP
              2025-03-11T22:13:00.346176+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497383.67.15.16915408TCP
              2025-03-11T22:13:02.950533+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497393.67.15.16915408TCP
              2025-03-11T22:13:02.950533+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497393.67.15.16915408TCP
              2025-03-11T22:13:05.726508+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497403.67.15.16915408TCP
              2025-03-11T22:13:05.726508+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497403.67.15.16915408TCP
              2025-03-11T22:13:08.336351+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497413.67.15.16915408TCP
              2025-03-11T22:13:08.336351+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497413.67.15.16915408TCP
              2025-03-11T22:13:10.925278+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497423.67.15.16915408TCP
              2025-03-11T22:13:10.925278+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497423.67.15.16915408TCP
              2025-03-11T22:13:13.544698+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497433.67.15.16915408TCP
              2025-03-11T22:13:13.544698+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497433.67.15.16915408TCP
              2025-03-11T22:13:16.150890+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497443.67.15.16915408TCP
              2025-03-11T22:13:16.150890+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497443.67.15.16915408TCP
              2025-03-11T22:13:18.881889+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497453.67.15.16915408TCP
              2025-03-11T22:13:18.881889+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497453.67.15.16915408TCP
              2025-03-11T22:13:21.331321+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497463.67.15.16915408TCP
              2025-03-11T22:13:21.331321+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497463.67.15.16915408TCP
              2025-03-11T22:13:23.681578+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497483.67.15.16915408TCP
              2025-03-11T22:13:23.681578+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497483.67.15.16915408TCP
              2025-03-11T22:13:26.068195+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497493.67.15.16915408TCP
              2025-03-11T22:13:26.068195+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497493.67.15.16915408TCP
              2025-03-11T22:13:28.216458+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497503.67.15.16915408TCP
              2025-03-11T22:13:28.216458+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497503.67.15.16915408TCP
              2025-03-11T22:13:30.304462+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497513.67.15.16915408TCP
              2025-03-11T22:13:30.304462+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497513.67.15.16915408TCP
              2025-03-11T22:13:32.217567+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497523.67.15.16915408TCP
              2025-03-11T22:13:32.217567+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497523.67.15.16915408TCP
              2025-03-11T22:13:34.028917+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497533.67.15.16915408TCP
              2025-03-11T22:13:34.028917+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497533.67.15.16915408TCP
              2025-03-11T22:13:36.745552+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497543.67.15.16915408TCP
              2025-03-11T22:13:36.745552+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497543.67.15.16915408TCP
              2025-03-11T22:13:39.502585+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497553.67.15.16915408TCP
              2025-03-11T22:13:39.502585+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497553.67.15.16915408TCP
              2025-03-11T22:13:42.221169+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497563.67.15.16915408TCP
              2025-03-11T22:13:42.221169+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497563.67.15.16915408TCP
              2025-03-11T22:13:44.814720+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497573.67.15.16915408TCP
              2025-03-11T22:13:44.814720+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497573.67.15.16915408TCP
              2025-03-11T22:13:47.383667+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497583.67.15.16915408TCP
              2025-03-11T22:13:47.383667+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497583.67.15.16915408TCP
              2025-03-11T22:13:50.000424+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497593.67.15.16915408TCP
              2025-03-11T22:13:50.000424+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497593.67.15.16915408TCP
              2025-03-11T22:13:52.595955+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497603.67.15.16915408TCP
              2025-03-11T22:13:52.595955+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497603.67.15.16915408TCP
              2025-03-11T22:13:55.159262+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497613.67.15.16915408TCP
              2025-03-11T22:13:55.159262+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497613.67.15.16915408TCP
              2025-03-11T22:13:57.830323+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497623.67.15.16915408TCP
              2025-03-11T22:13:57.830323+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497623.67.15.16915408TCP
              2025-03-11T22:14:00.642413+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497633.67.15.16915408TCP
              2025-03-11T22:14:00.642413+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497633.67.15.16915408TCP
              2025-03-11T22:14:03.457497+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497643.67.15.16915408TCP
              2025-03-11T22:14:03.457497+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497643.67.15.16915408TCP
              2025-03-11T22:14:06.125665+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497653.67.15.16915408TCP
              2025-03-11T22:14:06.125665+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497653.67.15.16915408TCP
              2025-03-11T22:14:09.762628+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497663.67.15.16915408TCP
              2025-03-11T22:14:09.762628+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497663.67.15.16915408TCP
              2025-03-11T22:14:12.452093+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497673.67.15.16915408TCP
              2025-03-11T22:14:12.452093+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497673.67.15.16915408TCP
              2025-03-11T22:14:15.103461+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497683.67.15.16915408TCP
              2025-03-11T22:14:15.103461+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497683.67.15.16915408TCP
              2025-03-11T22:14:18.591925+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497693.67.15.16915408TCP
              2025-03-11T22:14:18.591925+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497693.67.15.16915408TCP
              2025-03-11T22:14:21.212318+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497703.67.15.16915408TCP
              2025-03-11T22:14:21.212318+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497703.67.15.16915408TCP
              2025-03-11T22:14:23.881920+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497713.67.15.16915408TCP
              2025-03-11T22:14:23.881920+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497713.67.15.16915408TCP
              2025-03-11T22:14:26.835180+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497723.67.15.16915408TCP
              2025-03-11T22:14:26.835180+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497723.67.15.16915408TCP
              2025-03-11T22:14:31.371483+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497733.67.15.16915408TCP
              2025-03-11T22:14:31.371483+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497733.67.15.16915408TCP
              2025-03-11T22:14:33.676398+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497743.67.15.16915408TCP
              2025-03-11T22:14:33.676398+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497743.67.15.16915408TCP
              2025-03-11T22:14:37.183178+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497753.125.188.16815408TCP
              2025-03-11T22:14:37.183178+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497753.125.188.16815408TCP
              2025-03-11T22:14:40.601098+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497763.125.188.16815408TCP
              2025-03-11T22:14:40.601098+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497763.125.188.16815408TCP
              2025-03-11T22:14:44.770637+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497773.125.188.16815408TCP
              2025-03-11T22:14:44.770637+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497773.125.188.16815408TCP
              2025-03-11T22:14:53.392647+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497783.125.188.16815408TCP
              2025-03-11T22:14:53.392647+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497783.125.188.16815408TCP
              2025-03-11T22:14:56.147054+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497793.125.188.16815408TCP
              2025-03-11T22:14:56.147054+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497793.125.188.16815408TCP
              2025-03-11T22:14:58.981079+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497803.125.188.16815408TCP
              2025-03-11T22:14:58.981079+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497803.125.188.16815408TCP
              2025-03-11T22:15:02.331049+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497813.125.188.16815408TCP
              2025-03-11T22:15:02.331049+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497813.125.188.16815408TCP
              2025-03-11T22:15:05.029814+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497823.125.188.16815408TCP
              2025-03-11T22:15:05.029814+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497823.125.188.16815408TCP
              2025-03-11T22:15:08.366304+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497833.125.188.16815408TCP
              2025-03-11T22:15:08.366304+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497833.125.188.16815408TCP
              2025-03-11T22:15:11.026844+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497843.125.188.16815408TCP
              2025-03-11T22:15:11.026844+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497843.125.188.16815408TCP
              2025-03-11T22:15:16.735726+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497853.125.188.16815408TCP
              2025-03-11T22:15:16.735726+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497853.125.188.16815408TCP
              2025-03-11T22:15:18.871089+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497863.125.188.16815408TCP
              2025-03-11T22:15:18.871089+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497863.125.188.16815408TCP
              2025-03-11T22:15:21.506700+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497873.125.188.16815408TCP
              2025-03-11T22:15:21.506700+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497873.125.188.16815408TCP
              2025-03-11T22:15:49.916215+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497883.125.188.16815408TCP
              2025-03-11T22:15:49.916215+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497883.125.188.16815408TCP
              2025-03-11T22:15:52.003121+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497893.125.188.16815408TCP
              2025-03-11T22:15:52.003121+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497893.125.188.16815408TCP
              2025-03-11T22:15:54.581613+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497903.125.188.16815408TCP
              2025-03-11T22:15:54.581613+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497903.125.188.16815408TCP
              2025-03-11T22:15:58.164615+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497913.125.188.16815408TCP
              2025-03-11T22:15:58.164615+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497913.125.188.16815408TCP
              2025-03-11T22:16:10.483002+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497923.125.188.16815408TCP
              2025-03-11T22:16:10.483002+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497923.125.188.16815408TCP
              2025-03-11T22:16:26.502895+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497933.125.188.16815408TCP
              2025-03-11T22:16:26.502895+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497933.125.188.16815408TCP
              2025-03-11T22:16:32.419279+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497943.125.188.16815408TCP
              2025-03-11T22:16:32.419279+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497943.125.188.16815408TCP
              2025-03-11T22:16:32.736959+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4497943.125.188.16815408TCP

              Network Port Distribution

              • Total Packets: 59
              • 15408 undefined
              • 53 (DNS)
              TimestampSource PortDest PortSource IPDest IP
              Mar 11, 2025 22:12:35.974628925 CET4972615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:35.979341984 CET15408497263.67.15.169192.168.2.4
              Mar 11, 2025 22:12:35.979448080 CET4972615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:36.546452999 CET15408497263.67.15.169192.168.2.4
              Mar 11, 2025 22:12:36.549830914 CET4972615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:37.241180897 CET4972615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:37.246001959 CET15408497263.67.15.169192.168.2.4
              Mar 11, 2025 22:12:39.487375975 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:39.492120981 CET15408497283.67.15.169192.168.2.4
              Mar 11, 2025 22:12:39.492264032 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:39.492734909 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:39.497436047 CET15408497283.67.15.169192.168.2.4
              Mar 11, 2025 22:12:39.497555017 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:39.502319098 CET15408497283.67.15.169192.168.2.4
              Mar 11, 2025 22:12:40.043623924 CET15408497283.67.15.169192.168.2.4
              Mar 11, 2025 22:12:40.043731928 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.058726072 CET4972815408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.060137987 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.063484907 CET15408497283.67.15.169192.168.2.4
              Mar 11, 2025 22:12:42.064825058 CET15408497293.67.15.169192.168.2.4
              Mar 11, 2025 22:12:42.067828894 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.068816900 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.073446035 CET15408497293.67.15.169192.168.2.4
              Mar 11, 2025 22:12:42.073532104 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:42.078222036 CET15408497293.67.15.169192.168.2.4
              Mar 11, 2025 22:12:42.633752108 CET15408497293.67.15.169192.168.2.4
              Mar 11, 2025 22:12:42.633869886 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.636852980 CET4972915408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.641545057 CET15408497293.67.15.169192.168.2.4
              Mar 11, 2025 22:12:44.753618956 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.758584976 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:44.758661032 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.766529083 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.771235943 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:44.771281004 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.775965929 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:44.858941078 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:44.863665104 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:45.327251911 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:45.327342033 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.340168953 CET4973115408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.341068029 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.344923973 CET15408497313.67.15.169192.168.2.4
              Mar 11, 2025 22:12:47.345746040 CET15408497323.67.15.169192.168.2.4
              Mar 11, 2025 22:12:47.345880985 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.346311092 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.350985050 CET15408497323.67.15.169192.168.2.4
              Mar 11, 2025 22:12:47.351788044 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:47.356436968 CET15408497323.67.15.169192.168.2.4
              Mar 11, 2025 22:12:47.930116892 CET15408497323.67.15.169192.168.2.4
              Mar 11, 2025 22:12:47.930183887 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.938163996 CET4973215408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.939263105 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.942909956 CET15408497323.67.15.169192.168.2.4
              Mar 11, 2025 22:12:49.943969011 CET15408497333.67.15.169192.168.2.4
              Mar 11, 2025 22:12:49.944056988 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.944664955 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.949345112 CET15408497333.67.15.169192.168.2.4
              Mar 11, 2025 22:12:49.949439049 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:49.954662085 CET15408497333.67.15.169192.168.2.4
              Mar 11, 2025 22:12:50.506661892 CET15408497333.67.15.169192.168.2.4
              Mar 11, 2025 22:12:50.506894112 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.514812946 CET4973315408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.519606113 CET15408497333.67.15.169192.168.2.4
              Mar 11, 2025 22:12:52.526856899 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.531646013 CET15408497353.67.15.169192.168.2.4
              Mar 11, 2025 22:12:52.531732082 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.532541037 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.537241936 CET15408497353.67.15.169192.168.2.4
              Mar 11, 2025 22:12:52.537301064 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:52.542013884 CET15408497353.67.15.169192.168.2.4
              Mar 11, 2025 22:12:53.089138985 CET15408497353.67.15.169192.168.2.4
              Mar 11, 2025 22:12:53.089795113 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.105781078 CET4973515408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.106956959 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.111921072 CET15408497353.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.112706900 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.112777948 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.113465071 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.118863106 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.118913889 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.124972105 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.483630896 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:55.488432884 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.702640057 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:55.702718019 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.714986086 CET4973615408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.719665051 CET15408497363.67.15.169192.168.2.4
              Mar 11, 2025 22:12:57.766833067 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.771651030 CET15408497373.67.15.169192.168.2.4
              Mar 11, 2025 22:12:57.771811008 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.774873018 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.779707909 CET15408497373.67.15.169192.168.2.4
              Mar 11, 2025 22:12:57.779763937 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:12:57.784394979 CET15408497373.67.15.169192.168.2.4
              Mar 11, 2025 22:12:58.324326038 CET15408497373.67.15.169192.168.2.4
              Mar 11, 2025 22:12:58.324394941 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:13:00.339946032 CET4973715408192.168.2.43.67.15.169
              Mar 11, 2025 22:13:00.340859890 CET4973815408192.168.2.43.67.15.169
              Mar 11, 2025 22:13:00.344686031 CET15408497373.67.15.169192.168.2.4
              TimestampSource PortDest PortSource IPDest IP
              Mar 11, 2025 22:12:35.958731890 CET5190153192.168.2.41.1.1.1
              Mar 11, 2025 22:12:35.968116045 CET53519011.1.1.1192.168.2.4
              Mar 11, 2025 22:13:36.637511969 CET6208853192.168.2.41.1.1.1
              Mar 11, 2025 22:13:36.655838013 CET53620881.1.1.1192.168.2.4
              Mar 11, 2025 22:14:36.629153013 CET6484653192.168.2.41.1.1.1
              Mar 11, 2025 22:14:36.647820950 CET53648461.1.1.1192.168.2.4
              Mar 11, 2025 22:15:44.230905056 CET5443153192.168.2.41.1.1.1
              Mar 11, 2025 22:15:44.249380112 CET53544311.1.1.1192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 11, 2025 22:12:35.958731890 CET192.168.2.41.1.1.10x8550Standard query (0)7.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Mar 11, 2025 22:13:36.637511969 CET192.168.2.41.1.1.10xaf3eStandard query (0)7.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Mar 11, 2025 22:14:36.629153013 CET192.168.2.41.1.1.10x6550Standard query (0)7.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Mar 11, 2025 22:15:44.230905056 CET192.168.2.41.1.1.10x98e2Standard query (0)7.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 11, 2025 22:12:35.968116045 CET1.1.1.1192.168.2.40x8550No error (0)7.tcp.eu.ngrok.io3.67.15.169A (IP address)IN (0x0001)false
              Mar 11, 2025 22:13:36.655838013 CET1.1.1.1192.168.2.40xaf3eNo error (0)7.tcp.eu.ngrok.io3.67.15.169A (IP address)IN (0x0001)false
              Mar 11, 2025 22:14:36.647820950 CET1.1.1.1192.168.2.40x6550No error (0)7.tcp.eu.ngrok.io3.125.188.168A (IP address)IN (0x0001)false
              Mar 11, 2025 22:15:44.249380112 CET1.1.1.1192.168.2.40x98e2No error (0)7.tcp.eu.ngrok.io3.125.188.168A (IP address)IN (0x0001)false

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:12:26
              Start date:11/03/2025
              Path:C:\Users\user\Desktop\pkFIMBYMWr.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\pkFIMBYMWr.exe"
              Imagebase:0x700000
              File size:95'232 bytes
              MD5 hash:769CC0701DDB3B77485187F4CFB89F53
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1325288419.0000000003D58000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1299729159.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low
              Has exited:true
              Show Windows behavior

              File Activities


              General

              Target ID:1
              Start time:17:12:28
              Start date:11/03/2025
              Path:C:\Windows\server.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\server.exe"
              Imagebase:0xa60000
              File size:95'232 bytes
              MD5 hash:769CC0701DDB3B77485187F4CFB89F53
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\server.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\server.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 87%, ReversingLabs
              Reputation:low
              Has exited:false
              Show Windows behavior

              File Activities

              Registry Activities


              General

              Target ID:2
              Start time:17:12:30
              Start date:11/03/2025
              Path:C:\Windows\SysWOW64\netsh.exe
              Wow64 process (32bit):true
              Commandline:netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
              Imagebase:0xe30000
              File size:82'432 bytes
              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              Show Windows behavior

              File Activities


              General

              Target ID:3
              Start time:17:12:30
              Start date:11/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff62fc20000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              General

              Target ID:4
              Start time:17:12:32
              Start date:11/03/2025
              Path:C:\Windows\SysWOW64\netsh.exe
              Wow64 process (32bit):true
              Commandline:netsh firewall delete allowedprogram "C:\Windows\server.exe"
              Imagebase:0xe30000
              File size:82'432 bytes
              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              Show Windows behavior

              File Activities


              General

              Target ID:5
              Start time:17:12:32
              Start date:11/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff62fc20000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              General

              Target ID:6
              Start time:17:12:32
              Start date:11/03/2025
              Path:C:\Windows\SysWOW64\netsh.exe
              Wow64 process (32bit):true
              Commandline:netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
              Imagebase:0xe30000
              File size:82'432 bytes
              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              Show Windows behavior

              File Activities


              General

              Target ID:7
              Start time:17:12:33
              Start date:11/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff62fc20000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              General

              Target ID:9
              Start time:17:12:44
              Start date:11/03/2025
              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe"
              Imagebase:0x420000
              File size:95'232 bytes
              MD5 hash:769CC0701DDB3B77485187F4CFB89F53
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: unknown
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Florian Roth
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Sekoia.io
              • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: Sekoia.io
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: JPCERT/CC Incident Response Group
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 87%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:12
              Start time:17:12:45
              Start date:11/03/2025
              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0db0e27f45963af1d9fd7ae9a9419dc1Windows Update.exe"
              Imagebase:0x410000
              File size:95'232 bytes
              MD5 hash:769CC0701DDB3B77485187F4CFB89F53
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              File Activities


              General

              Target ID:13
              Start time:17:12:53
              Start date:11/03/2025
              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krnl-fixer268.exe"
              Imagebase:0xaf0000
              File size:95'232 bytes
              MD5 hash:769CC0701DDB3B77485187F4CFB89F53
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 87%, ReversingLabs
              Reputation:low
              Has exited:true

              File Activities


              Disassembly

              No disassembly