Windows Analysis Report njw.exe

Overview

General Information

Sample Name: njw.exe
Analysis ID: 511823
MD5: 3f91f84924d1db7ace9ad307fcae35d1
SHA1: 50e790e2b3324c1b3805916c5a3c323ed8a7305f
SHA256: a0254e8580186ca146fcc6082a6110888ac0cc3c7f733e760ad7a655bd2a0503
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
PE file has nameless sections
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Uses the system / local time for branch decision (may execute only at specific dates)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Installs a global mouse hook
Found evaded block containing many API calls
PE file contains more sections than normal
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: njw.exe Virustotal: Detection: 11% Perma Link
Machine Learning detection for sample
Source: njw.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: njw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068FDFC FindFirstFileA, 0_2_0068FDFC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068D8ED FindFirstFileA,GetTempPathA,DeleteFileA,FindNextFileA, 0_2_0068D8ED

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 88.212.201.198 88.212.201.198
Source: Joe Sandbox View IP Address: 87.250.251.119 87.250.251.119
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW
Source: global traffic HTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9
Source: global traffic HTTP traffic detected: GET /watch/14153041?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=847304281635522680; i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; yabs-sid=2327043721635522680
Source: global traffic HTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=3723159021635522681; i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; yabs-sid=702787781635522681
Source: global traffic HTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /secondpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /firstpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Oct 2021 15:51:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15ETag: W/"611e66ad-1ad5"Content-Encoding: gzipData Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Oct 2021 15:51:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15ETag: W/"611e66ad-1ad5"Content-Encoding: gzipData Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: <li><a href="http://www.facebook.com/ucoz.web.builder" target="_blank">Facebook</a></li> equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: Phttp://www.facebook.com/ucoz.web.builder75.1 equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: Phttp://www.facebook.com/ucoz.web.builderhtml equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.facebook.com/ucoz.web.builder equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/ucoz.web.builder7 equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.facebook.com/ucoz.web.buildert equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: www.facebook.comi equals www.facebook.com (Facebook)
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://book.ucoz.com
Source: njw.exe, 00000000.00000002.936865761.000000000B811000.00000004.00000001.sdmp String found in binary or memory: http://book.ucoz.com/
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://counter.yadro.ru/
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://counter.yadro.ru/hit;counter1?r
Source: njw.exe, 00000000.00000002.935239138.0000000006A8C000.00000004.00000001.sdmp String found in binary or memory: http://counter.yadro.ru/hit;counter1?r;s1280
Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://faq.ucoz.com/
Source: njw.exe, 00000000.00000002.936865761.000000000B811000.00000004.00000001.sdmp String found in binary or memory: http://faq.ucoz.com/iCy
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://faq.ucoz.com/z
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://forum.ucoz.com/
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://forum.ucoz.com/)
Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmp String found in binary or memory: http://forum.ucoz.com/r4r
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://google.com/search
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://google.com/searchb
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://google.com/searchr-c
Source: njw.exe String found in binary or memory: http://madExcept.com
Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp String found in binary or memory: http://madExcept.comU
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmp String found in binary or memory: http://top.ucoz.com/
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://top.ucoz.com/Ita
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.com
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://ucoz.com/register/
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.com/register/n:
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.com/register/x;Z
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://ucoz.com/register/~
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.com/s
Source: njw.exe, 00000000.00000002.935016714.0000000006A58000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.com:
Source: njw.exe, 00000000.00000002.935016714.0000000006A58000.00000004.00000001.sdmp String found in binary or memory: http://ucoz.comN
Source: njw.exe, 00000000.00000002.934808825.00000000067D8000.00000004.00000001.sdmp String found in binary or memory: http://w3.o
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.d
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.naro:
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.r
Source: njw.exe String found in binary or memory: http://www.all-bearings.narod.ru
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.934046409.0000000004004000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/$
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png$yE
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png4yU
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngDye
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngDze
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngTDu
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngg
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngu
Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngx
Source: njw.exe, 00000000.00000002.932325468.0000000000948000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngz
Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936684119.000000000B79C000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif...
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif.dll
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifQ
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifT
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifW
Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifY
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifg
Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png$zE
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png4
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png4DU
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngD
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngTzu
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngd
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngdD
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngt
Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png07
Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png?X
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngB7
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngg/
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngv6
Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png
Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png&
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png-c
Source: njw.exe, 00000000.00000003.754037157.000000000B828000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png...
Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png5?
Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngT8T
Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngX
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pnges
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngf
Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngg8g
Source: njw.exe, 00000000.00000003.754519394.000000000B7CE000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngj
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngt
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/B
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/F
Source: njw.exe, 00000000.00000002.935655115.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html-bearings.narod.ru/firstpage.html...
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html...
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html/
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html1
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html2
Source: njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html4E
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html7
Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlGix
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlHIe
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlI
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlO
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlQ
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlU:
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlWK
Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmleople
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlg
Source: njw.exe, 00000000.00000002.936034770.000000000A077000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlhttp://www.all-bearings.narod.ru/firstpage.html
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlk
Source: njw.exe, 00000000.00000003.754037157.000000000B828000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlk4y
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmly
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/n
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondp
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.940355610.000000000DF90000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.935655115.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html(
Source: njw.exe, 00000000.00000002.937283236.000000000BAF0000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html-Aloud
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html...
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html3
Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html6
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlF
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlK
Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlU
Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlX
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlY
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmletCookies
Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlh
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlhttp://www.all-bearings.narod.ru/secondpage.html
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmllU
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmllq
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlndpage.html...rstpage.html
Source: njw.exe, 00000000.00000002.932312200.0000000000940000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlng.pnge.gifE5
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlngs.narod.ru/secondpage.html
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmls
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlsk
Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlu6
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/sl
Source: njw.exe, njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp String found in binary or memory: http://www.all-bearings.narod.ru/webhelp.html
Source: njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmp String found in binary or memory: http://www.all-bearings.narod.ruL
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.ruc
Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmp String found in binary or memory: http://www.all-bearings.narod.rud
Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp String found in binary or memory: http://www.all-bearings.narod.ruopenS
Source: njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.dr String found in binary or memory: http://www.google-analytics.com
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/32
Source: njw.exe, 00000000.00000002.935315308.0000000006A9C000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/7
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=2&utmn=1625169737&utmhn=www.all-bearings.
Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/ga.js
Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/ga.js)
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.google-analytics.com/ga.js-1002c
Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/ga.js021
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/ga.jsV
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.google-analytics.com/ga.jscrC:
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp String found in binary or memory: http://www.google-analytics.com/ga.jsitC:
Source: njw.exe, 00000000.00000003.754265887.0000000006B3A000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1923535507&utmhn=www.all-bearing
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937344665.000000000BB25000.00000004.00000001.sdmp String found in binary or memory: http://www.google-analytics.comwww.google-analytics.com
Source: njw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmp String found in binary or memory: http://www.macromedia.com
Source: njw.exe String found in binary or memory: http://www.remserviss.ru
Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp String found in binary or memory: http://www.remserviss.ruopen
Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: http://www.ucoz.com/pricing/
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/pricing/.5
Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/pricing/Iy
Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/privacy/
Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/privacy/%y
Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/privacy/dyb
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/terms/
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/terms/j
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/terms/s
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/tour/
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/tour/8a
Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/tour/px
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: http://www.ucoz.com/tour/q
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: https://counter.yadro.ru/
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp String found in binary or memory: https://counter.yadro.ru/&
Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935516918.0000000006AF2000.00000004.00000001.sdmp String found in binary or memory: https://counter.yadro.ru/hit;counter1?q;r;s1280
Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp String found in binary or memory: https://counter.yadro.ru/hit;counter1?r;s1280
Source: njw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.774568164.000000000E05A000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://iframe-toloka.com/
Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmp String found in binary or memory: https://login.live.comt
Source: njw.exe, 00000000.00000002.935488975.0000000006AEB000.00000004.00000001.sdmp String found in binary or memory: https://mc.y
Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmp String found in binary or memory: https://mc.y0
Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://mc.yandex.
Source: njw.exe, 00000000.00000003.782452215.000000000DF16000.00000004.00000010.sdmp String found in binary or memory: https://mc.yandex.:
Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://mc.yandex.md/cc
Source: njw.exe, 00000000.00000003.789755108.000000000F548000.00000004.00000001.sdmp String found in binary or memory: https://mc.yandex.md/ccPageView.
Source: njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp String found in binary or memory: https://mc.yandex.md/ccba
Source: njw.exe, 00000000.00000003.756492906.0000000006831000.00000004.00000001.sdmp String found in binary or memory: https://mc.yandex.pK
Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://s3.mds.yandex.net/internal-metrika-betas
Source: njw.exe, 00000000.00000003.790985819.000000000F57D000.00000004.00000001.sdmp String found in binary or memory: https://s3.mds.yandex.net/internal-metrika-betasS
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937440425.000000000BB68000.00000004.00000001.sdmp, ga[1].js.0.dr String found in binary or memory: https://ssl.google-analytics.com
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.dr String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: njw.exe, 00000000.00000002.936233347.000000000A330000.00000004.00000001.sdmp String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gifpN3
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.dr String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/
Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/#
Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/k4y
Source: ga[1].js.0.dr String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.dr String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: njw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmp String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.785521786.000000000ECC0000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmp, njw.exe, 00000000.00000003.756492906.0000000006831000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://yastatic.net/s3/gdpr/popup/v2/
Source: njw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://yastatic.net/s3/metrika
Source: njw.exe, 00000000.00000003.774568164.000000000E05A000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.dr String found in binary or memory: https://ymetrica1.com/watch/3/1
Source: unknown DNS traffic detected: queries for: www.all-bearings.narod.ru
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
Source: global traffic HTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW
Source: global traffic HTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9
Source: global traffic HTTP traffic detected: GET /watch/14153041?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=847304281635522680; i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; yabs-sid=2327043721635522680
Source: global traffic HTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=3723159021635522681; i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; yabs-sid=702787781635522681
Source: global traffic HTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /secondpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /firstpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49793 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: njw.exe, 00000000.00000002.932325468.0000000000948000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a global mouse hook
Source: C:\Users\user\Desktop\njw.exe Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042CB18 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard, 0_2_0042CB18

System Summary:

barindex
PE file has nameless sections
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Uses 32bit PE files
Source: njw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00410CCC 0_2_00410CCC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00418068 0_2_00418068
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00412120 0_2_00412120
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00415330 0_2_00415330
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0043F454 0_2_0043F454
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00416554 0_2_00416554
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0069251E 0_2_0069251E
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004247D8 0_2_004247D8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004177E8 0_2_004177E8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040D97C 0_2_0040D97C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00414938 0_2_00414938
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00427A5C 0_2_00427A5C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00690DFF 0_2_00690DFF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\njw.exe Code function: String function: 00436A94 appears 46 times
Source: C:\Users\user\Desktop\njw.exe Code function: String function: 00404C04 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040B8E8 NtdllDefWindowProc_A,WaitForSingleObject,ReleaseMutex, 0_2_0040B8E8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree, 0_2_0042AC1C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0043F454 NtdllDefWindowProc_A,LoadCursorA,SetCursor,NtdllDefWindowProc_A,BeginPaint,GetClientRect,GetSysColor,GetSysColor,SelectObject,GetTextExtentPoint32A,SetTextColor,GetSysColor,SetTextColor,GetSysColor,SetBkColor,TextOutA,SelectObject,EndPaint,NtdllDefWindowProc_A,InvalidateRect,NtdllDefWindowProc_A,ShellExecuteA,NtdllDefWindowProc_A,NtdllDefWindowProc_A,GetFocus,KillTimer,InvalidateRect,GetSysColor,GetSysColor,Sleep,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetClientRect,PostMessageA,GetSysColor,GetSysColor,KillTimer,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,NtdllDefWindowProc_A,GetWindowRect,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetClientRect,InvalidateRect,NtdllDefWindowProc_A, 0_2_0043F454
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00427A5C GetCursorPos,ScreenToClient,IsWindowEnabled,LoadCursorA,SetCursor,NtdllDefWindowProc_A,SetCapture,ReleaseCapture,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,BeginPaint,EndPaint,SetTextColor,SetTextColor,SetTextColor,SetTextColor,GetSysColorBrush,GetClientRect,GetFocus,SetFocus,KillTimer,NtdllDefWindowProc_A,NtdllDefWindowProc_A,GetWindowRect,ScreenToClient,ScreenToClient,InflateRect,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,GetWindowLongA,PostMessageA,GetFocus,KillTimer,NtdllDefWindowProc_A, 0_2_00427A5C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00408BAC GetWindowLongA,GetWindowLongA,NtdllDefWindowProc_A, 0_2_00408BAC
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\njw.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: njw.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: njw.exe Static PE information: Number of sections : 12 > 10
Source: njw.exe Static PE information: Section: ZLIB complexity 1.0021484375
Source: njw.exe Virustotal: Detection: 11%
Source: C:\Users\user\Desktop\njw.exe File read: C:\Users\user\Desktop\njw.exe Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe File created: C:\Users\user\Desktop\bugreport.txt Jump to behavior
Source: C:\Users\user\Desktop\njw.exe File created: C:\Users\user\AppData\Local\Temp\njw.madExcept Jump to behavior
Source: classification engine Classification label: mal60.spyw.winEXE@1/17@4/3
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068ED30 GetLastError,FormatMessageA,wsprintfA, 0_2_0068ED30
Source: C:\Users\user\Desktop\njw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: njw.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\njw.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1bd0
Source: C:\Users\user\Desktop\njw.exe Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1bd4$40ba70
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042E204 FindResourceA, 0_2_0042E204
Source: Yara match File source: 0.2.njw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\njw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\njw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Window found: window name: TEdit Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: njw.exe Static file information: File size 1694802 > 1048576

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00446FC4 push ecx; mov dword ptr [esp], edx 0_2_00446FC5
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00407128 push 00407154h; ret 0_2_0040714C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040B13C push 0040B168h; ret 0_2_0040B160
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00408184 push 004081B0h; ret 0_2_004081A8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A240 push 0042A26Ch; ret 0_2_0042A264
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040926C push 00409298h; ret 0_2_00409290
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00408348 push 00408374h; ret 0_2_0040836C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00408310 push 0040833Ch; ret 0_2_00408334
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0041331C push 00413348h; ret 0_2_00413340
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A3D8 push 0042A404h; ret 0_2_0042A3FC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00418390 push 004183BCh; ret 0_2_004183B4
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004583B8 push ecx; mov dword ptr [esp], edx 0_2_004583BD
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A458 push 0042A484h; ret 0_2_0042A47C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A420 push 0042A44Ch; ret 0_2_0042A444
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A4C8 push 0042A4F4h; ret 0_2_0042A4EC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A490 push 0042A4BCh; ret 0_2_0042A4B4
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A550 push 0042A57Ch; ret 0_2_0042A574
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A500 push 0042A52Ch; ret 0_2_0042A524
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004285B8 push ecx; mov dword ptr [esp], ecx 0_2_004285BD
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00417784 push 004177B0h; ret 0_2_004177A8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A8E0 push 0042A90Ch; ret 0_2_0042A904
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004098AC push ecx; mov dword ptr [esp], edx 0_2_004098B1
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0041C968 push 0041C9ADh; ret 0_2_0041C9A5
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00423968 push 00423994h; ret 0_2_0042398C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00409914 push ecx; mov dword ptr [esp], edx 0_2_00409919
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0041C920 push 0041C963h; ret 0_2_0041C95B
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042A988 push 0042A9B4h; ret 0_2_0042A9AC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040CB58 push 0040CB85h; ret 0_2_0040CB7D
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0040CB00 push 0040CB53h; ret 0_2_0040CB4B
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00406DF4 push 00406E45h; ret 0_2_00406E3D
PE file contains sections with non-standard names
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
Source: njw.exe Static PE information: section name:
PE file contains an invalid checksum
Source: njw.exe Static PE information: real checksum: 0x287c15 should be: 0x1a3590
Source: initial sample Static PE information: section name: entropy: 7.97472353809

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00429058 IsWindowEnabled,EnableWindow,CreateCompatibleDC,SelectObject,DeleteDC,GetWindowRect,GetClientRect,GetSystemMetrics,GetSystemMetrics,SetWindowPos,ShowWindow,IsIconic,ShowWindow,BringWindowToTop,SetForegroundWindow,SetTimer,GetKeyState,IsDialogMessage,TranslateMessage,DispatchMessageA,IsWindow,GetMessageA,VirtualFree,EnableWindow,SetActiveWindow, 0_2_00429058
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_004234B8 GetWindowThreadProcessId,GetCurrentProcessId,IsWindowVisible,IsIconic,GetWindowRect,OffsetRect, 0_2_004234B8
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042354C GetWindowThreadProcessId,GetCurrentProcessId,IsWindowVisible,IsIconic,GetWindowRect,OffsetRect,CreateRectRgnIndirect,CombineRgn,DeleteObject, 0_2_0042354C
Source: C:\Users\user\Desktop\njw.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree, 0_2_0042AC1C
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068A2D1 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp-4ch], 03h and CTI: jnc 0068A3BEh 0_2_0068A2D1
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\njw.exe Memory allocated: 3F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Memory allocated: A110000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Memory allocated: A2B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Memory allocated: A2D0000 memory reserve | memory write watch Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\njw.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\njw.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\njw.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068FDFC FindFirstFileA, 0_2_0068FDFC
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068D8ED FindFirstFileA,GetTempPathA,DeleteFileA,FindNextFileA, 0_2_0068D8ED
Source: C:\Users\user\Desktop\njw.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: njw.exe, 00000000.00000003.738298118.00000000009A7000.00000004.00000001.sdmp Binary or memory string: 1&0SWD\MSRRAS\MS_AGILEVPNMINIPORTROOT\CompositeBus\0000ROOT\vdrvroot\0000ROOT\spaceport\0000ACPI\PNP0B00\4&1bd7f811&0ROOT\KDNIC\0000ACPI\PNP0303\4&1bd7f811&0USB\VID_0E0F&PID_0003&MI_01\7&1ffda586&0&0001SWD\PRINTENUM\{76EAF5AF-D6EB-4F92-BEE0-755C2D4343CA}SWD\PRINTENUM\{AD489F8D-3BDF-4E8D-B3D2-2E65A589368B}PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A8PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A9PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AAPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ABPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ACPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ADPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AEPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AFPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B0PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B1PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B2PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B3PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B4PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B5PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B6PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B7PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B8PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B9PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BAPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BBPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BCPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BDPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BEPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BFPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C0PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C1PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C2PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C3PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C4PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C5PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C6PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C7ACPI\PNP0200\4&1bd7f811&0ROOT\UMBUS\0000SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000ROOT\ACPI_HAL\0000SWD\MSRRAS\MS_NDISWANBHSWD\MSRRAS\MS_NDISWANIPPCI\VEN_15AD&DEV_1977&SUBSYS_197715AD&REV_09\4&bbf9765&0&0088ACPI_HAL\PNP0C08\0HTREE\ROOT\0ROOT\BasicRender\0000SWD\MSRRAS\MS_SSTPMINIPORTSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61aaa01&0&3FSWD\PRINTENUM\{56829D9F-AB04-4336-A25A-0504A6D184EC}ACPI\FixedButton\2&daba3ff&0PCI\VEN_8086&DEV_7110&SUBSYS_197615AD&REV_08\3&61aaa01&0&38ACPI\PNP0C02\1fHID\VID_0E0F&PID_0003&MI_00\8&1230c469&0&0000PCI\VEN_15AD&DEV_0779&SUBSYS_077915AD&REV_00\4&3b50545d&0&00B8STORAGE\Volume\{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000SWD\MMDEVAPI\{0.0.1.00000000}.{fcb8848f-2374-48ab-94
Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000C=C
Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmp Binary or memory string: AS\MS_AGILEVPNMINIPORTROOT\CompositeBus\0000ROOT\vdrvroot\0000ROOT\spaceport\0000ACPI\PNP0B00\4&1bd7f811&0ROOT\KDNIC\0000ACPI\PNP0303\4&1bd7f811&0USB\VID_0E0F&PID_0003&MI_01\7&1ffda586&0&0001SWD\PRINTENUM\{76EAF5AF-D6EB-4F92-BEE0-755C2D4343CA}SWD\PRINTENUM\{AD489F8D-3BDF-4E8D-B3D2-2E65A589368B}PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A8PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A9PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AAPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ABPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ACPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ADPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AEPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AFPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B0PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B1PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B2PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B3PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B4PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B5PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B6PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B7PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B8PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B9PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BAPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BBPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BCPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BDPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BEPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BFPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C0PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C1PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C2PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C3PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C4PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C5PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C6PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C7ACPI\PNP0200\4&1bd7f811&0ROOT\UMBUS\0000SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000ROOT\ACPI_HAL\0000SWD\MSRRAS\MS_NDISWANBHSWD\MSRRAS\MS_NDISWANIPPCI\VEN_15AD&DEV_1977&SUBSYS_197715AD&REV_09\4&bbf9765&0&0088ACPI_HAL\PNP0C08\0HTREE\ROOT\0ROOT\BasicRender\0000SWD\MSRRAS\MS_SSTPMINIPORTSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61aaa01&0&3FSWD\PRINTENUM\{56829D9F-AB04-4336-A25A-0504A6D184EC}ACPI\FixedButton\2&daba3ff&0PCI\VEN_8086&DEV_7110&SUBSYS_197615AD&REV_08\3&61aaa01&0&38ACPI\PNP0C02\1fHID\VID_0E0F&PID_0003&MI_00\8&1230c469&0&0000PCI\VEN_15AD&DEV_0779&SUBSYS_077915AD&REV_00\4&3b50545d&0&00B8STORAGE\Volume\{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000SWD\MMDEVAPI\{0.0.1.00000000}.{fcb8848f-2374-48ab-9412-fa1c511f
Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWh
Source: njw.exe, 00000000.00000003.742405334.0000000002658000.00000004.00000001.sdmp, bugreport.txt.0.dr Binary or memory string: - Microsoft Hyper-V Generation Counter

Anti Debugging:

barindex
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042BA90 VirtualProtect 00000000,00000004,00607910,00607910,00000000,00000004,00000040,00607910,00000000,00000001,00000000 0_2_0042BA90
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree, 0_2_0042AC1C
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068EF5E SetUnhandledExceptionFilter, 0_2_0068EF5E
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068F6E2 EnterCriticalSection,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 0_2_0068F6E2
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0042B7EC InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 0_2_0042B7EC
Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\SysWOW64\Macromed\Flash\activex.vch VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\njw.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_0040648C
Source: C:\Users\user\Desktop\njw.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00406598
Source: C:\Users\user\Desktop\njw.exe Code function: GetThreadLocale,GetLocaleInfoA, 0_2_0040AB10
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jump to behavior
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0068A2D1 GetSystemTimeAsFileTime,SetFilePointer,ReadFile,GetSystemTimeAsFileTime, 0_2_0068A2D1
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_0041CE14 RtlValidSecurityDescriptor,VirtualQuery,GetVersion,GetModuleHandleA, 0_2_0041CE14

Stealing of Sensitive Information:

barindex
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\njw.exe Code function: EnterCriticalSection,LocalAlloc,LeaveCriticalSection, SmtpPassword 0_2_0042EB98
Source: C:\Users\user\Desktop\njw.exe Code function: EnterCriticalSection,LocalAlloc,LeaveCriticalSection, SmtpPassword 0_2_0042EB98
Source: C:\Users\user\Desktop\njw.exe Code function: SmtpPassword 0_2_00435178

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\njw.exe Code function: 0_2_00439C00 socket,bind,htons,sendto,select,closesocket, 0_2_00439C00
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs