Edit tour

Windows Analysis Report
Xtks4KI16J.exe

Overview

General Information

Sample name:	Xtks4KI16J.exe renamed because original name is a hash value
Original sample name:	Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe
Analysis ID:	1507175
MD5:	e7535a5bf45492fceb86529a7fc9262d
SHA1:	3794cd79ac81a757a3a5472425d636d09542bf82
SHA256:	f786169ec6bf76ccf3ae7e231f5721926d668e8162a3772adb4d60edf27ed4e7
Infos:

Detection

Berbew, Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Yara detected Berbew

Yara detected Njrat

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Xtks4KI16J.exe (PID: 1620 cmdline: "C:\Users\user\Desktop\Xtks4KI16J.exe" MD5: E7535A5BF45492FCEB86529A7FC9262D)

Ikgcna32.exe (PID: 5228 cmdline: C:\Windows\system32\Ikgcna32.exe MD5: 5BF78889FF869E37498DE5C9C505D3F4)

Idogffko.exe (PID: 4484 cmdline: C:\Windows\system32\Idogffko.exe MD5: 44B1D19D1F316401D07436026D0C8F93)

Ipfhkgac.exe (PID: 3300 cmdline: C:\Windows\system32\Ipfhkgac.exe MD5: 4F2762AB1971305DCB7E62833EE29EC6)

Ikklipqi.exe (PID: 5824 cmdline: C:\Windows\system32\Ikklipqi.exe MD5: 5F42235DCB8D9B0D74D8780DEDEF3DD6)

Jddqaf32.exe (PID: 4564 cmdline: C:\Windows\system32\Jddqaf32.exe MD5: 52F2625244F7597416A74A133B7029C5)

Jjqijmeq.exe (PID: 3632 cmdline: C:\Windows\system32\Jjqijmeq.exe MD5: 2C9A4475BE131CCAC6871AE983CA72EA)

Jgdjcadj.exe (PID: 2596 cmdline: C:\Windows\system32\Jgdjcadj.exe MD5: 8186437E2CA451B45919F2179F00DD06)

Jqmnlf32.exe (PID: 6748 cmdline: C:\Windows\system32\Jqmnlf32.exe MD5: 92CFBCE6CFD5AA8DC54EE9ECA05DC000)

Jkbbioja.exe (PID: 4280 cmdline: C:\Windows\system32\Jkbbioja.exe MD5: 3F9DFF15D79161B762641DEBC1DD1253)

Jbogli32.exe (PID: 6008 cmdline: C:\Windows\system32\Jbogli32.exe MD5: 954F234246B8674AD183FA10ACAF2457)

Kjjlpk32.exe (PID: 6668 cmdline: C:\Windows\system32\Kjjlpk32.exe MD5: 51E61062139BE553220506C4BC182CD4)

Kkjhjn32.exe (PID: 7112 cmdline: C:\Windows\system32\Kkjhjn32.exe MD5: A7516A7869FFE0EC2C66E2A7A0B02444)

Khnicb32.exe (PID: 7184 cmdline: C:\Windows\system32\Khnicb32.exe MD5: F2D6F9BC64756AD880683220BDD89B61)

Khbbobom.exe (PID: 7200 cmdline: C:\Windows\system32\Khbbobom.exe MD5: D5D0C07DEEC73A95DC48372F44B81AC8)

Lbmcmgck.exe (PID: 7216 cmdline: C:\Windows\system32\Lbmcmgck.exe MD5: AF4FF01A204CD902288202DED8E23A38)

Lqbqnc32.exe (PID: 7232 cmdline: C:\Windows\system32\Lqbqnc32.exe MD5: FD3AF1AA7CF7E783321048E4FFC396A3)

Lileeqgb.exe (PID: 7248 cmdline: C:\Windows\system32\Lileeqgb.exe MD5: 7F4D403B3A930EAA5CCF08F8F1FA92BC)

Lgqbfmlj.exe (PID: 7264 cmdline: C:\Windows\system32\Lgqbfmlj.exe MD5: 274BC707BAF2708F03F6380BBB2C14E4)

Mbiciein.exe (PID: 7284 cmdline: C:\Windows\system32\Mbiciein.exe MD5: E472CC27576F19571E64776E28F7DDB1)

Mnodnfob.exe (PID: 7300 cmdline: C:\Windows\system32\Mnodnfob.exe MD5: 24C03AE87E6F88E042305ACE5C56BAA9)

Mapmoalc.exe (PID: 7320 cmdline: C:\Windows\system32\Mapmoalc.exe MD5: 78C3B2396D3A3315BC238EC41BCEC25B)

Mndmif32.exe (PID: 7336 cmdline: C:\Windows\system32\Mndmif32.exe MD5: A7BBB89E20C7F6C459957260066705AB)

Mhlaakam.exe (PID: 7352 cmdline: C:\Windows\system32\Mhlaakam.exe MD5: 7BCEC97A05D4FF32C52BDF14A4C9A277)

Maefjq32.exe (PID: 7368 cmdline: C:\Windows\system32\Maefjq32.exe MD5: 28CC60C41EDF66DC2FECC77632BA2A0E)

Nbdbdc32.exe (PID: 7384 cmdline: C:\Windows\system32\Nbdbdc32.exe MD5: C95E1B71474A4BA569CC5C2D609717E2)

Naipepdh.exe (PID: 7400 cmdline: C:\Windows\system32\Naipepdh.exe MD5: B3290E1E908A171DF3EFE9142B1A7D4D)

Nnmpodcb.exe (PID: 7416 cmdline: C:\Windows\system32\Nnmpodcb.exe MD5: BDB5BC4D6CFB1A2D93ABBE958681F615)

Nlaqhh32.exe (PID: 7432 cmdline: C:\Windows\system32\Nlaqhh32.exe MD5: EE8F87788EF191C005E39679D12A159B)

Njfmiegc.exe (PID: 7448 cmdline: C:\Windows\system32\Njfmiegc.exe MD5: 82549D32B9E9F17AB1FFF87D5D49893C)

Oihnglob.exe (PID: 7464 cmdline: C:\Windows\system32\Oihnglob.exe MD5: 4D796F85EF73E2F666C65C8C7E7A7A49)

Obbofa32.exe (PID: 7480 cmdline: C:\Windows\system32\Obbofa32.exe MD5: 046CF0C6D652D63EF01DEA04915EEA1B)

Ooipkb32.exe (PID: 7496 cmdline: C:\Windows\system32\Ooipkb32.exe MD5: DFAC4E8D9942591C0ED22E230D6A03A7)

Olmpdg32.exe (PID: 7512 cmdline: C:\Windows\system32\Olmpdg32.exe MD5: 8B926717C5CB2963272DB3B1996639FE)

Olpmjffk.exe (PID: 7532 cmdline: C:\Windows\system32\Olpmjffk.exe MD5: E5A628E6A49213BA55FBC416E1248381)

Plbiofci.exe (PID: 7548 cmdline: C:\Windows\system32\Plbiofci.exe MD5: 46E652A4455D1CDBCFAF72579A1D51DF)

Pkgfpbhq.exe (PID: 7572 cmdline: C:\Windows\system32\Pkgfpbhq.exe MD5: 602D0C607533FBFB5C861134DB2AD084)

Poeofa32.exe (PID: 7588 cmdline: C:\Windows\system32\Poeofa32.exe MD5: 55763FED85DBD88A0F7A8C5303620C72)

Pklpkb32.exe (PID: 7604 cmdline: C:\Windows\system32\Pklpkb32.exe MD5: FD1402ECAB55A284004F6CEF8BAE66C4)

Peadik32.exe (PID: 7620 cmdline: C:\Windows\system32\Peadik32.exe MD5: 65FE7DE016AAB6B76E0376FA9C1F7C4C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Berbew		No Attribution	https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/	https://malpedia.caad.fkie.fraunhofer.de/details/win.berbew

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Xtks4KI16J.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Xtks4KI16J.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
Xtks4KI16J.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
Xtks4KI16J.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
Xtks4KI16J.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\Peadik32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Peadik32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Peadik32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Peadik32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Peadik32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Lileeqgb.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Pkgfpbhq.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Lileeqgb.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Pkgfpbhq.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Lileeqgb.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Lileeqgb.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Lileeqgb.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Pkgfpbhq.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Pkgfpbhq.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Pkgfpbhq.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Olpmjffk.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Olpmjffk.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Olpmjffk.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Olpmjffk.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Olpmjffk.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Kkjhjn32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkjhjn32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Kkjhjn32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Kkjhjn32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Kkjhjn32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Lbmcmgck.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Lbmcmgck.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Lbmcmgck.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Lbmcmgck.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Lbmcmgck.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Olmpdg32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Olmpdg32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Olmpdg32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Olmpdg32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Olmpdg32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jqmnlf32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mndmif32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mndmif32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mndmif32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mndmif32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mndmif32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jqmnlf32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jqmnlf32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jqmnlf32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Njfmiegc.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Njfmiegc.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mapmoalc.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mapmoalc.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jqmnlf32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Njfmiegc.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Njfmiegc.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Njfmiegc.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mbiciein.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mbiciein.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mbiciein.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mbiciein.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mbiciein.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mapmoalc.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mapmoalc.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mapmoalc.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Poeofa32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Poeofa32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Poeofa32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Poeofa32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Poeofa32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jjqijmeq.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jjqijmeq.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jjqijmeq.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jjqijmeq.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jjqijmeq.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Pojhapkb.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Pojhapkb.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Pojhapkb.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Pojhapkb.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Pojhapkb.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nnmpodcb.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nnmpodcb.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nnmpodcb.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nnmpodcb.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nnmpodcb.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Lqbqnc32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Lqbqnc32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Lqbqnc32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Lqbqnc32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Lqbqnc32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jbogli32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jbogli32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jbogli32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jbogli32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jbogli32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Naipepdh.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Naipepdh.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Naipepdh.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Naipepdh.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Naipepdh.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Lgqbfmlj.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Lgqbfmlj.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Lgqbfmlj.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Lgqbfmlj.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Lgqbfmlj.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ikgcna32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Ikgcna32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ikgcna32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ikgcna32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ikgcna32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nbdbdc32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nbdbdc32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nbdbdc32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nbdbdc32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nbdbdc32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Khnicb32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Khnicb32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Khnicb32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Khnicb32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Khnicb32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mhlaakam.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mhlaakam.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mhlaakam.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mhlaakam.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mhlaakam.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ikklipqi.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Ikklipqi.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ikklipqi.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ikklipqi.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ikklipqi.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jddqaf32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jddqaf32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jddqaf32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jddqaf32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jddqaf32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Idogffko.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Idogffko.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Idogffko.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Idogffko.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Idogffko.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ipfhkgac.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Ipfhkgac.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ipfhkgac.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ipfhkgac.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ipfhkgac.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Plbiofci.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Plbiofci.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Plbiofci.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Plbiofci.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Plbiofci.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Khbbobom.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Khbbobom.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Khbbobom.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Khbbobom.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Khbbobom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jgdjcadj.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jgdjcadj.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jgdjcadj.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jgdjcadj.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jgdjcadj.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ooipkb32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Ooipkb32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ooipkb32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ooipkb32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ooipkb32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Obbofa32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Obbofa32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Obbofa32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Obbofa32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Obbofa32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nlaqhh32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nlaqhh32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nlaqhh32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nlaqhh32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nlaqhh32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Kjjlpk32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kjjlpk32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Kjjlpk32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Kjjlpk32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Kjjlpk32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Oihnglob.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Oihnglob.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Oihnglob.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Oihnglob.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Oihnglob.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Pklpkb32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Pklpkb32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Pklpkb32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Pklpkb32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Pklpkb32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jkbbioja.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jkbbioja.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jkbbioja.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jkbbioja.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jkbbioja.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Maefjq32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Maefjq32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Maefjq32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Maefjq32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Maefjq32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mnodnfob.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mnodnfob.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mnodnfob.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mnodnfob.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mnodnfob.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
Click to see the 195 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2001051775.000000000042B000.00000004.00000001.01000000.0000001B.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000022.00000002.2012897426.000000000042B000.00000004.00000001.01000000.00000025.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001A.00000002.2002980502.000000000042B000.00000004.00000001.01000000.0000001D.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10eb2:$a1: get_Registry 0x11fb2:$a2: SEE_MASK_NOZONECHECKS 0x120ae:$a3: Download ERROR 0x11f74:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11f06:$a5: netsh firewall delete allowedprogram "
00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11fe2:$a1: netsh firewall add allowedprogram 0x11fb2:$a2: SEE_MASK_NOZONECHECKS 0x1225c:$b1: [TAP] 0x11f74:$c3: cmd.exe /c ping
00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11fb2:$reg: SEE_MASK_NOZONECHECKS 0x1208a:$msg: Execute ERROR 0x120e6:$msg: Execute ERROR 0x11f74:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11883:$a1: get_Registry 0x5014a:$a1: get_Registry 0x12983:$a2: SEE_MASK_NOZONECHECKS 0x5124a:$a2: SEE_MASK_NOZONECHECKS 0x12a7f:$a3: Download ERROR 0x51346:$a3: Download ERROR 0x12945:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5120c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x128d7:$a5: netsh firewall delete allowedprogram " 0x5119e:$a5: netsh firewall delete allowedprogram "
0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129b3:$a1: netsh firewall add allowedprogram 0x5127a:$a1: netsh firewall add allowedprogram 0x12983:$a2: SEE_MASK_NOZONECHECKS 0x5124a:$a2: SEE_MASK_NOZONECHECKS 0x12c2d:$b1: [TAP] 0x514f4:$b1: [TAP] 0x12945:$c3: cmd.exe /c ping 0x5120c:$c3: cmd.exe /c ping
0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12983:$reg: SEE_MASK_NOZONECHECKS 0x5124a:$reg: SEE_MASK_NOZONECHECKS 0x12a5b:$msg: Execute ERROR 0x12ab7:$msg: Execute ERROR 0x51322:$msg: Execute ERROR 0x5137e:$msg: Execute ERROR 0x12945:$ping: cmd.exe /c ping 0 -n 2 & del 0x5120c:$ping: cmd.exe /c ping 0 -n 2 & del
00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10fda:$a1: get_Registry 0x120da:$a2: SEE_MASK_NOZONECHECKS 0x121d6:$a3: Download ERROR 0x1209c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1202e:$a5: netsh firewall delete allowedprogram "
00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1210a:$a1: netsh firewall add allowedprogram 0x120da:$a2: SEE_MASK_NOZONECHECKS 0x12384:$b1: [TAP] 0x1209c:$c3: cmd.exe /c ping
00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x120da:$reg: SEE_MASK_NOZONECHECKS 0x121b2:$msg: Execute ERROR 0x1220e:$msg: Execute ERROR 0x1209c:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118d2:$a1: get_Registry 0x129d2:$a2: SEE_MASK_NOZONECHECKS 0x12ace:$a3: Download ERROR 0x12994:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12926:$a5: netsh firewall delete allowedprogram "
0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12a02:$a1: netsh firewall add allowedprogram 0x129d2:$a2: SEE_MASK_NOZONECHECKS 0x12c7c:$b1: [TAP] 0x12994:$c3: cmd.exe /c ping
0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129d2:$reg: SEE_MASK_NOZONECHECKS 0x12aaa:$msg: Execute ERROR 0x12b06:$msg: Execute ERROR 0x12994:$ping: cmd.exe /c ping 0 -n 2 & del
00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x107ba:$a1: get_Registry 0x118ba:$a2: SEE_MASK_NOZONECHECKS 0x119b6:$a3: Download ERROR 0x1187c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1180e:$a5: netsh firewall delete allowedprogram "
00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x118ea:$a1: netsh firewall add allowedprogram 0x118ba:$a2: SEE_MASK_NOZONECHECKS 0x11b64:$b1: [TAP] 0x1187c:$c3: cmd.exe /c ping
00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x118ba:$reg: SEE_MASK_NOZONECHECKS 0x11992:$msg: Execute ERROR 0x119ee:$msg: Execute ERROR 0x1187c:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11713:$a1: get_Registry 0x4ffda:$a1: get_Registry 0x12813:$a2: SEE_MASK_NOZONECHECKS 0x510da:$a2: SEE_MASK_NOZONECHECKS 0x1290f:$a3: Download ERROR 0x511d6:$a3: Download ERROR 0x127d5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5109c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12767:$a5: netsh firewall delete allowedprogram " 0x5102e:$a5: netsh firewall delete allowedprogram "
00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12843:$a1: netsh firewall add allowedprogram 0x5110a:$a1: netsh firewall add allowedprogram 0x12813:$a2: SEE_MASK_NOZONECHECKS 0x510da:$a2: SEE_MASK_NOZONECHECKS 0x12abd:$b1: [TAP] 0x51384:$b1: [TAP] 0x127d5:$c3: cmd.exe /c ping 0x5109c:$c3: cmd.exe /c ping
00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12813:$reg: SEE_MASK_NOZONECHECKS 0x510da:$reg: SEE_MASK_NOZONECHECKS 0x128eb:$msg: Execute ERROR 0x12947:$msg: Execute ERROR 0x511b2:$msg: Execute ERROR 0x5120e:$msg: Execute ERROR 0x127d5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5109c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11dfb:$a1: get_Registry 0x506c2:$a1: get_Registry 0x12efb:$a2: SEE_MASK_NOZONECHECKS 0x517c2:$a2: SEE_MASK_NOZONECHECKS 0x12ff7:$a3: Download ERROR 0x518be:$a3: Download ERROR 0x12ebd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51784:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e4f:$a5: netsh firewall delete allowedprogram " 0x51716:$a5: netsh firewall delete allowedprogram "
0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f2b:$a1: netsh firewall add allowedprogram 0x517f2:$a1: netsh firewall add allowedprogram 0x12efb:$a2: SEE_MASK_NOZONECHECKS 0x517c2:$a2: SEE_MASK_NOZONECHECKS 0x131a5:$b1: [TAP] 0x51a6c:$b1: [TAP] 0x12ebd:$c3: cmd.exe /c ping 0x51784:$c3: cmd.exe /c ping
0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12efb:$reg: SEE_MASK_NOZONECHECKS 0x517c2:$reg: SEE_MASK_NOZONECHECKS 0x12fd3:$msg: Execute ERROR 0x1302f:$msg: Execute ERROR 0x5189a:$msg: Execute ERROR 0x518f6:$msg: Execute ERROR 0x12ebd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51784:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10fe2:$a1: get_Registry 0x120e2:$a2: SEE_MASK_NOZONECHECKS 0x121de:$a3: Download ERROR 0x120a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12036:$a5: netsh firewall delete allowedprogram "
00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12112:$a1: netsh firewall add allowedprogram 0x120e2:$a2: SEE_MASK_NOZONECHECKS 0x1238c:$b1: [TAP] 0x120a4:$c3: cmd.exe /c ping
00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x120e2:$reg: SEE_MASK_NOZONECHECKS 0x121ba:$msg: Execute ERROR 0x12216:$msg: Execute ERROR 0x120a4:$ping: cmd.exe /c ping 0 -n 2 & del
00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x114da:$a1: get_Registry 0x125da:$a2: SEE_MASK_NOZONECHECKS 0x126d6:$a3: Download ERROR 0x1259c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1252e:$a5: netsh firewall delete allowedprogram "
00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1260a:$a1: netsh firewall add allowedprogram 0x125da:$a2: SEE_MASK_NOZONECHECKS 0x12884:$b1: [TAP] 0x1259c:$c3: cmd.exe /c ping
00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x125da:$reg: SEE_MASK_NOZONECHECKS 0x126b2:$msg: Execute ERROR 0x1270e:$msg: Execute ERROR 0x1259c:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10fda:$a1: get_Registry 0x120da:$a2: SEE_MASK_NOZONECHECKS 0x121d6:$a3: Download ERROR 0x1209c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1202e:$a5: netsh firewall delete allowedprogram "
00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1210a:$a1: netsh firewall add allowedprogram 0x120da:$a2: SEE_MASK_NOZONECHECKS 0x12384:$b1: [TAP] 0x1209c:$c3: cmd.exe /c ping
00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x120da:$reg: SEE_MASK_NOZONECHECKS 0x121b2:$msg: Execute ERROR 0x1220e:$msg: Execute ERROR 0x1209c:$ping: cmd.exe /c ping 0 -n 2 & del
00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118d2:$a1: get_Registry 0x129d2:$a2: SEE_MASK_NOZONECHECKS 0x12ace:$a3: Download ERROR 0x12994:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12926:$a5: netsh firewall delete allowedprogram "
00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12a02:$a1: netsh firewall add allowedprogram 0x129d2:$a2: SEE_MASK_NOZONECHECKS 0x12c7c:$b1: [TAP] 0x12994:$c3: cmd.exe /c ping
00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129d2:$reg: SEE_MASK_NOZONECHECKS 0x12aaa:$msg: Execute ERROR 0x12b06:$msg: Execute ERROR 0x12994:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11823:$a1: get_Registry 0x500ea:$a1: get_Registry 0x12923:$a2: SEE_MASK_NOZONECHECKS 0x511ea:$a2: SEE_MASK_NOZONECHECKS 0x12a1f:$a3: Download ERROR 0x512e6:$a3: Download ERROR 0x128e5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12877:$a5: netsh firewall delete allowedprogram " 0x5113e:$a5: netsh firewall delete allowedprogram "
0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12953:$a1: netsh firewall add allowedprogram 0x5121a:$a1: netsh firewall add allowedprogram 0x12923:$a2: SEE_MASK_NOZONECHECKS 0x511ea:$a2: SEE_MASK_NOZONECHECKS 0x12bcd:$b1: [TAP] 0x51494:$b1: [TAP] 0x128e5:$c3: cmd.exe /c ping 0x511ac:$c3: cmd.exe /c ping
00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12923:$reg: SEE_MASK_NOZONECHECKS 0x511ea:$reg: SEE_MASK_NOZONECHECKS 0x129fb:$msg: Execute ERROR 0x12a57:$msg: Execute ERROR 0x512c2:$msg: Execute ERROR 0x5131e:$msg: Execute ERROR 0x128e5:$ping: cmd.exe /c ping 0 -n 2 & del 0x511ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11873:$a1: get_Registry 0x5013a:$a1: get_Registry 0x12973:$a2: SEE_MASK_NOZONECHECKS 0x5123a:$a2: SEE_MASK_NOZONECHECKS 0x12a6f:$a3: Download ERROR 0x51336:$a3: Download ERROR 0x12935:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x128c7:$a5: netsh firewall delete allowedprogram " 0x5118e:$a5: netsh firewall delete allowedprogram "
0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129a3:$a1: netsh firewall add allowedprogram 0x5126a:$a1: netsh firewall add allowedprogram 0x12973:$a2: SEE_MASK_NOZONECHECKS 0x5123a:$a2: SEE_MASK_NOZONECHECKS 0x12c1d:$b1: [TAP] 0x514e4:$b1: [TAP] 0x12935:$c3: cmd.exe /c ping 0x511fc:$c3: cmd.exe /c ping
0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12973:$reg: SEE_MASK_NOZONECHECKS 0x5123a:$reg: SEE_MASK_NOZONECHECKS 0x12a4b:$msg: Execute ERROR 0x12aa7:$msg: Execute ERROR 0x51312:$msg: Execute ERROR 0x5136e:$msg: Execute ERROR 0x12935:$ping: cmd.exe /c ping 0 -n 2 & del 0x511fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000027.00000002.2017857827.000000000042B000.00000004.00000001.01000000.0000002A.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001F.00000002.2009121717.000000000042B000.00000004.00000001.01000000.00000022.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108d2:$a1: get_Registry 0x119d2:$a2: SEE_MASK_NOZONECHECKS 0x11ace:$a3: Download ERROR 0x11994:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11926:$a5: netsh firewall delete allowedprogram "
00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a02:$a1: netsh firewall add allowedprogram 0x119d2:$a2: SEE_MASK_NOZONECHECKS 0x11c7c:$b1: [TAP] 0x11994:$c3: cmd.exe /c ping
00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119d2:$reg: SEE_MASK_NOZONECHECKS 0x11aaa:$msg: Execute ERROR 0x11b06:$msg: Execute ERROR 0x11994:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10fe2:$a1: get_Registry 0x120e2:$a2: SEE_MASK_NOZONECHECKS 0x121de:$a3: Download ERROR 0x120a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12036:$a5: netsh firewall delete allowedprogram "
00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12112:$a1: netsh firewall add allowedprogram 0x120e2:$a2: SEE_MASK_NOZONECHECKS 0x1238c:$b1: [TAP] 0x120a4:$c3: cmd.exe /c ping
00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x120e2:$reg: SEE_MASK_NOZONECHECKS 0x121ba:$msg: Execute ERROR 0x12216:$msg: Execute ERROR 0x120a4:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1145a:$a1: get_Registry 0x1255a:$a2: SEE_MASK_NOZONECHECKS 0x12656:$a3: Download ERROR 0x1251c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x124ae:$a5: netsh firewall delete allowedprogram "
00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1258a:$a1: netsh firewall add allowedprogram 0x1255a:$a2: SEE_MASK_NOZONECHECKS 0x12804:$b1: [TAP] 0x1251c:$c3: cmd.exe /c ping
00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1255a:$reg: SEE_MASK_NOZONECHECKS 0x12632:$msg: Execute ERROR 0x1268e:$msg: Execute ERROR 0x1251c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000016.00000002.1998585566.000000000042B000.00000004.00000001.01000000.00000019.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1181b:$a1: get_Registry 0x500e2:$a1: get_Registry 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12a17:$a3: Download ERROR 0x512de:$a3: Download ERROR 0x128dd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1286f:$a5: netsh firewall delete allowedprogram " 0x51136:$a5: netsh firewall delete allowedprogram "
00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1294b:$a1: netsh firewall add allowedprogram 0x51212:$a1: netsh firewall add allowedprogram 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12bc5:$b1: [TAP] 0x5148c:$b1: [TAP] 0x128dd:$c3: cmd.exe /c ping 0x511a4:$c3: cmd.exe /c ping
00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1291b:$reg: SEE_MASK_NOZONECHECKS 0x511e2:$reg: SEE_MASK_NOZONECHECKS 0x129f3:$msg: Execute ERROR 0x12a4f:$msg: Execute ERROR 0x512ba:$msg: Execute ERROR 0x51316:$msg: Execute ERROR 0x128dd:$ping: cmd.exe /c ping 0 -n 2 & del 0x511a4:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000002.2004365207.000000000042B000.00000004.00000001.01000000.0000001E.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1181b:$a1: get_Registry 0x500e2:$a1: get_Registry 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12a17:$a3: Download ERROR 0x512de:$a3: Download ERROR 0x128dd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1286f:$a5: netsh firewall delete allowedprogram " 0x51136:$a5: netsh firewall delete allowedprogram "
00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1294b:$a1: netsh firewall add allowedprogram 0x51212:$a1: netsh firewall add allowedprogram 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12bc5:$b1: [TAP] 0x5148c:$b1: [TAP] 0x128dd:$c3: cmd.exe /c ping 0x511a4:$c3: cmd.exe /c ping
00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1291b:$reg: SEE_MASK_NOZONECHECKS 0x511e2:$reg: SEE_MASK_NOZONECHECKS 0x129f3:$msg: Execute ERROR 0x12a4f:$msg: Execute ERROR 0x512ba:$msg: Execute ERROR 0x51316:$msg: Execute ERROR 0x128dd:$ping: cmd.exe /c ping 0 -n 2 & del 0x511a4:$ping: cmd.exe /c ping 0 -n 2 & del
00000025.00000002.2016019452.000000000042B000.00000004.00000001.01000000.00000028.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1159a:$a1: get_Registry 0x1269a:$a2: SEE_MASK_NOZONECHECKS 0x12796:$a3: Download ERROR 0x1265c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x125ee:$a5: netsh firewall delete allowedprogram "
00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x126ca:$a1: netsh firewall add allowedprogram 0x1269a:$a2: SEE_MASK_NOZONECHECKS 0x12944:$b1: [TAP] 0x1265c:$c3: cmd.exe /c ping
00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1269a:$reg: SEE_MASK_NOZONECHECKS 0x12772:$msg: Execute ERROR 0x127ce:$msg: Execute ERROR 0x1265c:$ping: cmd.exe /c ping 0 -n 2 & del
0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1186b:$a1: get_Registry 0x50132:$a1: get_Registry 0x1296b:$a2: SEE_MASK_NOZONECHECKS 0x51232:$a2: SEE_MASK_NOZONECHECKS 0x12a67:$a3: Download ERROR 0x5132e:$a3: Download ERROR 0x1292d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511f4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x128bf:$a5: netsh firewall delete allowedprogram " 0x51186:$a5: netsh firewall delete allowedprogram "
0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1299b:$a1: netsh firewall add allowedprogram 0x51262:$a1: netsh firewall add allowedprogram 0x1296b:$a2: SEE_MASK_NOZONECHECKS 0x51232:$a2: SEE_MASK_NOZONECHECKS 0x12c15:$b1: [TAP] 0x514dc:$b1: [TAP] 0x1292d:$c3: cmd.exe /c ping 0x511f4:$c3: cmd.exe /c ping
0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1296b:$reg: SEE_MASK_NOZONECHECKS 0x51232:$reg: SEE_MASK_NOZONECHECKS 0x12a43:$msg: Execute ERROR 0x12a9f:$msg: Execute ERROR 0x5130a:$msg: Execute ERROR 0x51366:$msg: Execute ERROR 0x1292d:$ping: cmd.exe /c ping 0 -n 2 & del 0x511f4:$ping: cmd.exe /c ping 0 -n 2 & del
0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1092a:$a1: get_Registry 0x11a2a:$a2: SEE_MASK_NOZONECHECKS 0x11b26:$a3: Download ERROR 0x119ec:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1197e:$a5: netsh firewall delete allowedprogram "
0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a5a:$a1: netsh firewall add allowedprogram 0x11a2a:$a2: SEE_MASK_NOZONECHECKS 0x11cd4:$b1: [TAP] 0x119ec:$c3: cmd.exe /c ping
0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a2a:$reg: SEE_MASK_NOZONECHECKS 0x11b02:$msg: Execute ERROR 0x11b5e:$msg: Execute ERROR 0x119ec:$ping: cmd.exe /c ping 0 -n 2 & del
00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1170b:$a1: get_Registry 0x4ffd2:$a1: get_Registry 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12907:$a3: Download ERROR 0x511ce:$a3: Download ERROR 0x127cd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51094:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1275f:$a5: netsh firewall delete allowedprogram " 0x51026:$a5: netsh firewall delete allowedprogram "
00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1283b:$a1: netsh firewall add allowedprogram 0x51102:$a1: netsh firewall add allowedprogram 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12ab5:$b1: [TAP] 0x5137c:$b1: [TAP] 0x127cd:$c3: cmd.exe /c ping 0x51094:$c3: cmd.exe /c ping
00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1280b:$reg: SEE_MASK_NOZONECHECKS 0x510d2:$reg: SEE_MASK_NOZONECHECKS 0x128e3:$msg: Execute ERROR 0x1293f:$msg: Execute ERROR 0x511aa:$msg: Execute ERROR 0x51206:$msg: Execute ERROR 0x127cd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51094:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113fb:$a1: get_Registry 0x4fcc2:$a1: get_Registry 0x124fb:$a2: SEE_MASK_NOZONECHECKS 0x50dc2:$a2: SEE_MASK_NOZONECHECKS 0x125f7:$a3: Download ERROR 0x50ebe:$a3: Download ERROR 0x124bd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x50d84:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1244f:$a5: netsh firewall delete allowedprogram " 0x50d16:$a5: netsh firewall delete allowedprogram "
00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1252b:$a1: netsh firewall add allowedprogram 0x50df2:$a1: netsh firewall add allowedprogram 0x124fb:$a2: SEE_MASK_NOZONECHECKS 0x50dc2:$a2: SEE_MASK_NOZONECHECKS 0x127a5:$b1: [TAP] 0x5106c:$b1: [TAP] 0x124bd:$c3: cmd.exe /c ping 0x50d84:$c3: cmd.exe /c ping
00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x124fb:$reg: SEE_MASK_NOZONECHECKS 0x50dc2:$reg: SEE_MASK_NOZONECHECKS 0x125d3:$msg: Execute ERROR 0x1262f:$msg: Execute ERROR 0x50e9a:$msg: Execute ERROR 0x50ef6:$msg: Execute ERROR 0x124bd:$ping: cmd.exe /c ping 0 -n 2 & del 0x50d84:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10eba:$a1: get_Registry 0x11fba:$a2: SEE_MASK_NOZONECHECKS 0x120b6:$a3: Download ERROR 0x11f7c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11f0e:$a5: netsh firewall delete allowedprogram "
00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11fea:$a1: netsh firewall add allowedprogram 0x11fba:$a2: SEE_MASK_NOZONECHECKS 0x12264:$b1: [TAP] 0x11f7c:$c3: cmd.exe /c ping
00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11fba:$reg: SEE_MASK_NOZONECHECKS 0x12092:$msg: Execute ERROR 0x120ee:$msg: Execute ERROR 0x11f7c:$ping: cmd.exe /c ping 0 -n 2 & del
00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10eba:$a1: get_Registry 0x11fba:$a2: SEE_MASK_NOZONECHECKS 0x120b6:$a3: Download ERROR 0x11f7c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11f0e:$a5: netsh firewall delete allowedprogram "
00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11fea:$a1: netsh firewall add allowedprogram 0x11fba:$a2: SEE_MASK_NOZONECHECKS 0x12264:$b1: [TAP] 0x11f7c:$c3: cmd.exe /c ping
00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11fba:$reg: SEE_MASK_NOZONECHECKS 0x12092:$msg: Execute ERROR 0x120ee:$msg: Execute ERROR 0x11f7c:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000002.2011709914.000000000042B000.00000004.00000001.01000000.00000024.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11b8b:$a1: get_Registry 0x50452:$a1: get_Registry 0x12c8b:$a2: SEE_MASK_NOZONECHECKS 0x51552:$a2: SEE_MASK_NOZONECHECKS 0x12d87:$a3: Download ERROR 0x5164e:$a3: Download ERROR 0x12c4d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51514:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12bdf:$a5: netsh firewall delete allowedprogram " 0x514a6:$a5: netsh firewall delete allowedprogram "
00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12cbb:$a1: netsh firewall add allowedprogram 0x51582:$a1: netsh firewall add allowedprogram 0x12c8b:$a2: SEE_MASK_NOZONECHECKS 0x51552:$a2: SEE_MASK_NOZONECHECKS 0x12f35:$b1: [TAP] 0x517fc:$b1: [TAP] 0x12c4d:$c3: cmd.exe /c ping 0x51514:$c3: cmd.exe /c ping
00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12c8b:$reg: SEE_MASK_NOZONECHECKS 0x51552:$reg: SEE_MASK_NOZONECHECKS 0x12d63:$msg: Execute ERROR 0x12dbf:$msg: Execute ERROR 0x5162a:$msg: Execute ERROR 0x51686:$msg: Execute ERROR 0x12c4d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51514:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001C.00000002.2005187515.000000000042B000.00000004.00000001.01000000.0000001F.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113aa:$a1: get_Registry 0x124aa:$a2: SEE_MASK_NOZONECHECKS 0x125a6:$a3: Download ERROR 0x1246c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x123fe:$a5: netsh firewall delete allowedprogram "
0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x124da:$a1: netsh firewall add allowedprogram 0x124aa:$a2: SEE_MASK_NOZONECHECKS 0x12754:$b1: [TAP] 0x1246c:$c3: cmd.exe /c ping
0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x124aa:$reg: SEE_MASK_NOZONECHECKS 0x12582:$msg: Execute ERROR 0x125de:$msg: Execute ERROR 0x1246c:$ping: cmd.exe /c ping 0 -n 2 & del
0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000020.00000002.2010388848.000000000042B000.00000004.00000001.01000000.00000023.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1102a:$a1: get_Registry 0x1212a:$a2: SEE_MASK_NOZONECHECKS 0x12226:$a3: Download ERROR 0x120ec:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1207e:$a5: netsh firewall delete allowedprogram "
00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1215a:$a1: netsh firewall add allowedprogram 0x1212a:$a2: SEE_MASK_NOZONECHECKS 0x123d4:$b1: [TAP] 0x120ec:$c3: cmd.exe /c ping
00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1212a:$reg: SEE_MASK_NOZONECHECKS 0x12202:$msg: Execute ERROR 0x1225e:$msg: Execute ERROR 0x120ec:$ping: cmd.exe /c ping 0 -n 2 & del
0000001E.00000002.2008077984.000000000042B000.00000004.00000001.01000000.00000021.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11703:$a1: get_Registry 0x4ffca:$a1: get_Registry 0x12803:$a2: SEE_MASK_NOZONECHECKS 0x510ca:$a2: SEE_MASK_NOZONECHECKS 0x128ff:$a3: Download ERROR 0x511c6:$a3: Download ERROR 0x127c5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5108c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12757:$a5: netsh firewall delete allowedprogram " 0x5101e:$a5: netsh firewall delete allowedprogram "
00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12833:$a1: netsh firewall add allowedprogram 0x510fa:$a1: netsh firewall add allowedprogram 0x12803:$a2: SEE_MASK_NOZONECHECKS 0x510ca:$a2: SEE_MASK_NOZONECHECKS 0x12aad:$b1: [TAP] 0x51374:$b1: [TAP] 0x127c5:$c3: cmd.exe /c ping 0x5108c:$c3: cmd.exe /c ping
00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12803:$reg: SEE_MASK_NOZONECHECKS 0x510ca:$reg: SEE_MASK_NOZONECHECKS 0x128db:$msg: Execute ERROR 0x12937:$msg: Execute ERROR 0x511a2:$msg: Execute ERROR 0x511fe:$msg: Execute ERROR 0x127c5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5108c:$ping: cmd.exe /c ping 0 -n 2 & del
0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11ccb:$a1: get_Registry 0x50592:$a1: get_Registry 0x12dcb:$a2: SEE_MASK_NOZONECHECKS 0x51692:$a2: SEE_MASK_NOZONECHECKS 0x12ec7:$a3: Download ERROR 0x5178e:$a3: Download ERROR 0x12d8d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51654:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12d1f:$a5: netsh firewall delete allowedprogram " 0x515e6:$a5: netsh firewall delete allowedprogram "
00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12dfb:$a1: netsh firewall add allowedprogram 0x516c2:$a1: netsh firewall add allowedprogram 0x12dcb:$a2: SEE_MASK_NOZONECHECKS 0x51692:$a2: SEE_MASK_NOZONECHECKS 0x13075:$b1: [TAP] 0x5193c:$b1: [TAP] 0x12d8d:$c3: cmd.exe /c ping 0x51654:$c3: cmd.exe /c ping
00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12dcb:$reg: SEE_MASK_NOZONECHECKS 0x51692:$reg: SEE_MASK_NOZONECHECKS 0x12ea3:$msg: Execute ERROR 0x12eff:$msg: Execute ERROR 0x5176a:$msg: Execute ERROR 0x517c6:$msg: Execute ERROR 0x12d8d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51654:$ping: cmd.exe /c ping 0 -n 2 & del
00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11dd3:$a1: get_Registry 0x5069a:$a1: get_Registry 0x12ed3:$a2: SEE_MASK_NOZONECHECKS 0x5179a:$a2: SEE_MASK_NOZONECHECKS 0x12fcf:$a3: Download ERROR 0x51896:$a3: Download ERROR 0x12e95:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5175c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e27:$a5: netsh firewall delete allowedprogram " 0x516ee:$a5: netsh firewall delete allowedprogram "
00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f03:$a1: netsh firewall add allowedprogram 0x517ca:$a1: netsh firewall add allowedprogram 0x12ed3:$a2: SEE_MASK_NOZONECHECKS 0x5179a:$a2: SEE_MASK_NOZONECHECKS 0x1317d:$b1: [TAP] 0x51a44:$b1: [TAP] 0x12e95:$c3: cmd.exe /c ping 0x5175c:$c3: cmd.exe /c ping
00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12ed3:$reg: SEE_MASK_NOZONECHECKS 0x5179a:$reg: SEE_MASK_NOZONECHECKS 0x12fab:$msg: Execute ERROR 0x13007:$msg: Execute ERROR 0x51872:$msg: Execute ERROR 0x518ce:$msg: Execute ERROR 0x12e95:$ping: cmd.exe /c ping 0 -n 2 & del 0x5175c:$ping: cmd.exe /c ping 0 -n 2 & del
00000017.00000002.1999586381.000000000042B000.00000004.00000001.01000000.0000001A.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1193a:$a1: get_Registry 0x12a3a:$a2: SEE_MASK_NOZONECHECKS 0x12b36:$a3: Download ERROR 0x129fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1298e:$a5: netsh firewall delete allowedprogram "
0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12a6a:$a1: netsh firewall add allowedprogram 0x12a3a:$a2: SEE_MASK_NOZONECHECKS 0x12ce4:$b1: [TAP] 0x129fc:$c3: cmd.exe /c ping
0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12a3a:$reg: SEE_MASK_NOZONECHECKS 0x12b12:$msg: Execute ERROR 0x12b6e:$msg: Execute ERROR 0x129fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e03:$a1: get_Registry 0x506ca:$a1: get_Registry 0x12f03:$a2: SEE_MASK_NOZONECHECKS 0x517ca:$a2: SEE_MASK_NOZONECHECKS 0x12fff:$a3: Download ERROR 0x518c6:$a3: Download ERROR 0x12ec5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5178c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e57:$a5: netsh firewall delete allowedprogram " 0x5171e:$a5: netsh firewall delete allowedprogram "
00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f33:$a1: netsh firewall add allowedprogram 0x517fa:$a1: netsh firewall add allowedprogram 0x12f03:$a2: SEE_MASK_NOZONECHECKS 0x517ca:$a2: SEE_MASK_NOZONECHECKS 0x131ad:$b1: [TAP] 0x51a74:$b1: [TAP] 0x12ec5:$c3: cmd.exe /c ping 0x5178c:$c3: cmd.exe /c ping
00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f03:$reg: SEE_MASK_NOZONECHECKS 0x517ca:$reg: SEE_MASK_NOZONECHECKS 0x12fdb:$msg: Execute ERROR 0x13037:$msg: Execute ERROR 0x518a2:$msg: Execute ERROR 0x518fe:$msg: Execute ERROR 0x12ec5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5178c:$ping: cmd.exe /c ping 0 -n 2 & del
00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11f73:$a1: get_Registry 0x5083a:$a1: get_Registry 0x13073:$a2: SEE_MASK_NOZONECHECKS 0x5193a:$a2: SEE_MASK_NOZONECHECKS 0x1316f:$a3: Download ERROR 0x51a36:$a3: Download ERROR 0x13035:$a4: cmd.exe /c ping 0 -n 2 & del " 0x518fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12fc7:$a5: netsh firewall delete allowedprogram " 0x5188e:$a5: netsh firewall delete allowedprogram "
00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x130a3:$a1: netsh firewall add allowedprogram 0x5196a:$a1: netsh firewall add allowedprogram 0x13073:$a2: SEE_MASK_NOZONECHECKS 0x5193a:$a2: SEE_MASK_NOZONECHECKS 0x1331d:$b1: [TAP] 0x51be4:$b1: [TAP] 0x13035:$c3: cmd.exe /c ping 0x518fc:$c3: cmd.exe /c ping
00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x13073:$reg: SEE_MASK_NOZONECHECKS 0x5193a:$reg: SEE_MASK_NOZONECHECKS 0x1314b:$msg: Execute ERROR 0x131a7:$msg: Execute ERROR 0x51a12:$msg: Execute ERROR 0x51a6e:$msg: Execute ERROR 0x13035:$ping: cmd.exe /c ping 0 -n 2 & del 0x518fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118da:$a1: get_Registry 0x129da:$a2: SEE_MASK_NOZONECHECKS 0x12ad6:$a3: Download ERROR 0x1299c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1292e:$a5: netsh firewall delete allowedprogram "
00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12a0a:$a1: netsh firewall add allowedprogram 0x129da:$a2: SEE_MASK_NOZONECHECKS 0x12c84:$b1: [TAP] 0x1299c:$c3: cmd.exe /c ping
00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129da:$reg: SEE_MASK_NOZONECHECKS 0x12ab2:$msg: Execute ERROR 0x12b0e:$msg: Execute ERROR 0x1299c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000026.00000002.2017111770.000000000042B000.00000004.00000001.01000000.00000029.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1030a:$a1: get_Registry 0x1140a:$a2: SEE_MASK_NOZONECHECKS 0x11506:$a3: Download ERROR 0x113cc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1135e:$a5: netsh firewall delete allowedprogram "
00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1143a:$a1: netsh firewall add allowedprogram 0x1140a:$a2: SEE_MASK_NOZONECHECKS 0x116b4:$b1: [TAP] 0x113cc:$c3: cmd.exe /c ping
00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1140a:$reg: SEE_MASK_NOZONECHECKS 0x114e2:$msg: Execute ERROR 0x1153e:$msg: Execute ERROR 0x113cc:$ping: cmd.exe /c ping 0 -n 2 & del
00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11adb:$a1: get_Registry 0x503a2:$a1: get_Registry 0x12bdb:$a2: SEE_MASK_NOZONECHECKS 0x514a2:$a2: SEE_MASK_NOZONECHECKS 0x12cd7:$a3: Download ERROR 0x5159e:$a3: Download ERROR 0x12b9d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51464:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12b2f:$a5: netsh firewall delete allowedprogram " 0x513f6:$a5: netsh firewall delete allowedprogram "
0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12c0b:$a1: netsh firewall add allowedprogram 0x514d2:$a1: netsh firewall add allowedprogram 0x12bdb:$a2: SEE_MASK_NOZONECHECKS 0x514a2:$a2: SEE_MASK_NOZONECHECKS 0x12e85:$b1: [TAP] 0x5174c:$b1: [TAP] 0x12b9d:$c3: cmd.exe /c ping 0x51464:$c3: cmd.exe /c ping
0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12bdb:$reg: SEE_MASK_NOZONECHECKS 0x514a2:$reg: SEE_MASK_NOZONECHECKS 0x12cb3:$msg: Execute ERROR 0x12d0f:$msg: Execute ERROR 0x5157a:$msg: Execute ERROR 0x515d6:$msg: Execute ERROR 0x12b9d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51464:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1093a:$a1: get_Registry 0x11a3a:$a2: SEE_MASK_NOZONECHECKS 0x11b36:$a3: Download ERROR 0x119fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1198e:$a5: netsh firewall delete allowedprogram "
00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a6a:$a1: netsh firewall add allowedprogram 0x11a3a:$a2: SEE_MASK_NOZONECHECKS 0x11ce4:$b1: [TAP] 0x119fc:$c3: cmd.exe /c ping
00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a3a:$reg: SEE_MASK_NOZONECHECKS 0x11b12:$msg: Execute ERROR 0x11b6e:$msg: Execute ERROR 0x119fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000002.1997873391.000000000042B000.00000004.00000001.01000000.00000018.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11c0b:$a1: get_Registry 0x504d2:$a1: get_Registry 0x12d0b:$a2: SEE_MASK_NOZONECHECKS 0x515d2:$a2: SEE_MASK_NOZONECHECKS 0x12e07:$a3: Download ERROR 0x516ce:$a3: Download ERROR 0x12ccd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51594:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12c5f:$a5: netsh firewall delete allowedprogram " 0x51526:$a5: netsh firewall delete allowedprogram "
00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12d3b:$a1: netsh firewall add allowedprogram 0x51602:$a1: netsh firewall add allowedprogram 0x12d0b:$a2: SEE_MASK_NOZONECHECKS 0x515d2:$a2: SEE_MASK_NOZONECHECKS 0x12fb5:$b1: [TAP] 0x5187c:$b1: [TAP] 0x12ccd:$c3: cmd.exe /c ping 0x51594:$c3: cmd.exe /c ping
00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12d0b:$reg: SEE_MASK_NOZONECHECKS 0x515d2:$reg: SEE_MASK_NOZONECHECKS 0x12de3:$msg: Execute ERROR 0x12e3f:$msg: Execute ERROR 0x516aa:$msg: Execute ERROR 0x51706:$msg: Execute ERROR 0x12ccd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51594:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11883:$a1: get_Registry 0x5014a:$a1: get_Registry 0x12983:$a2: SEE_MASK_NOZONECHECKS 0x5124a:$a2: SEE_MASK_NOZONECHECKS 0x12a7f:$a3: Download ERROR 0x51346:$a3: Download ERROR 0x12945:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5120c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x128d7:$a5: netsh firewall delete allowedprogram " 0x5119e:$a5: netsh firewall delete allowedprogram "
00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129b3:$a1: netsh firewall add allowedprogram 0x5127a:$a1: netsh firewall add allowedprogram 0x12983:$a2: SEE_MASK_NOZONECHECKS 0x5124a:$a2: SEE_MASK_NOZONECHECKS 0x12c2d:$b1: [TAP] 0x514f4:$b1: [TAP] 0x12945:$c3: cmd.exe /c ping 0x5120c:$c3: cmd.exe /c ping
00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12983:$reg: SEE_MASK_NOZONECHECKS 0x5124a:$reg: SEE_MASK_NOZONECHECKS 0x12a5b:$msg: Execute ERROR 0x12ab7:$msg: Execute ERROR 0x51322:$msg: Execute ERROR 0x5137e:$msg: Execute ERROR 0x12945:$ping: cmd.exe /c ping 0 -n 2 & del 0x5120c:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11713:$a1: get_Registry 0x4ffda:$a1: get_Registry 0x12813:$a2: SEE_MASK_NOZONECHECKS 0x510da:$a2: SEE_MASK_NOZONECHECKS 0x1290f:$a3: Download ERROR 0x511d6:$a3: Download ERROR 0x127d5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5109c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12767:$a5: netsh firewall delete allowedprogram " 0x5102e:$a5: netsh firewall delete allowedprogram "
00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12843:$a1: netsh firewall add allowedprogram 0x5110a:$a1: netsh firewall add allowedprogram 0x12813:$a2: SEE_MASK_NOZONECHECKS 0x510da:$a2: SEE_MASK_NOZONECHECKS 0x12abd:$b1: [TAP] 0x51384:$b1: [TAP] 0x127d5:$c3: cmd.exe /c ping 0x5109c:$c3: cmd.exe /c ping
00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12813:$reg: SEE_MASK_NOZONECHECKS 0x510da:$reg: SEE_MASK_NOZONECHECKS 0x128eb:$msg: Execute ERROR 0x12947:$msg: Execute ERROR 0x511b2:$msg: Execute ERROR 0x5120e:$msg: Execute ERROR 0x127d5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5109c:$ping: cmd.exe /c ping 0 -n 2 & del
00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10eb2:$a1: get_Registry 0x11fb2:$a2: SEE_MASK_NOZONECHECKS 0x120ae:$a3: Download ERROR 0x11f74:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11f06:$a5: netsh firewall delete allowedprogram "
0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11fe2:$a1: netsh firewall add allowedprogram 0x11fb2:$a2: SEE_MASK_NOZONECHECKS 0x1225c:$b1: [TAP] 0x11f74:$c3: cmd.exe /c ping
0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11fb2:$reg: SEE_MASK_NOZONECHECKS 0x1208a:$msg: Execute ERROR 0x120e6:$msg: Execute ERROR 0x11f74:$ping: cmd.exe /c ping 0 -n 2 & del
0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1181b:$a1: get_Registry 0x500e2:$a1: get_Registry 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12a17:$a3: Download ERROR 0x512de:$a3: Download ERROR 0x128dd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1286f:$a5: netsh firewall delete allowedprogram " 0x51136:$a5: netsh firewall delete allowedprogram "
0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1294b:$a1: netsh firewall add allowedprogram 0x51212:$a1: netsh firewall add allowedprogram 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12bc5:$b1: [TAP] 0x5148c:$b1: [TAP] 0x128dd:$c3: cmd.exe /c ping 0x511a4:$c3: cmd.exe /c ping
0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1291b:$reg: SEE_MASK_NOZONECHECKS 0x511e2:$reg: SEE_MASK_NOZONECHECKS 0x129f3:$msg: Execute ERROR 0x12a4f:$msg: Execute ERROR 0x512ba:$msg: Execute ERROR 0x51316:$msg: Execute ERROR 0x128dd:$ping: cmd.exe /c ping 0 -n 2 & del 0x511a4:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a33:$a1: get_Registry 0x502fa:$a1: get_Registry 0x12b33:$a2: SEE_MASK_NOZONECHECKS 0x513fa:$a2: SEE_MASK_NOZONECHECKS 0x12c2f:$a3: Download ERROR 0x514f6:$a3: Download ERROR 0x12af5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a87:$a5: netsh firewall delete allowedprogram " 0x5134e:$a5: netsh firewall delete allowedprogram "
0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b63:$a1: netsh firewall add allowedprogram 0x5142a:$a1: netsh firewall add allowedprogram 0x12b33:$a2: SEE_MASK_NOZONECHECKS 0x513fa:$a2: SEE_MASK_NOZONECHECKS 0x12ddd:$b1: [TAP] 0x516a4:$b1: [TAP] 0x12af5:$c3: cmd.exe /c ping 0x513bc:$c3: cmd.exe /c ping
0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b33:$reg: SEE_MASK_NOZONECHECKS 0x513fa:$reg: SEE_MASK_NOZONECHECKS 0x12c0b:$msg: Execute ERROR 0x12c67:$msg: Execute ERROR 0x514d2:$msg: Execute ERROR 0x5152e:$msg: Execute ERROR 0x12af5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x116a2:$a1: get_Registry 0x127a2:$a2: SEE_MASK_NOZONECHECKS 0x1289e:$a3: Download ERROR 0x12764:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126f6:$a5: netsh firewall delete allowedprogram "
00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127d2:$a1: netsh firewall add allowedprogram 0x127a2:$a2: SEE_MASK_NOZONECHECKS 0x12a4c:$b1: [TAP] 0x12764:$c3: cmd.exe /c ping
00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x127a2:$reg: SEE_MASK_NOZONECHECKS 0x1287a:$msg: Execute ERROR 0x128d6:$msg: Execute ERROR 0x12764:$ping: cmd.exe /c ping 0 -n 2 & del
00000024.00000002.2015659350.000000000042B000.00000004.00000001.01000000.00000027.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108d2:$a1: get_Registry 0x119d2:$a2: SEE_MASK_NOZONECHECKS 0x11ace:$a3: Download ERROR 0x11994:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11926:$a5: netsh firewall delete allowedprogram "
00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a02:$a1: netsh firewall add allowedprogram 0x119d2:$a2: SEE_MASK_NOZONECHECKS 0x11c7c:$b1: [TAP] 0x11994:$c3: cmd.exe /c ping
00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119d2:$reg: SEE_MASK_NOZONECHECKS 0x11aaa:$msg: Execute ERROR 0x11b06:$msg: Execute ERROR 0x11994:$ping: cmd.exe /c ping 0 -n 2 & del
00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000023.00000002.2014944937.000000000042B000.00000004.00000001.01000000.00000026.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1170b:$a1: get_Registry 0x4ffd2:$a1: get_Registry 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12907:$a3: Download ERROR 0x511ce:$a3: Download ERROR 0x127cd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51094:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1275f:$a5: netsh firewall delete allowedprogram " 0x51026:$a5: netsh firewall delete allowedprogram "
00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1283b:$a1: netsh firewall add allowedprogram 0x51102:$a1: netsh firewall add allowedprogram 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12ab5:$b1: [TAP] 0x5137c:$b1: [TAP] 0x127cd:$c3: cmd.exe /c ping 0x51094:$c3: cmd.exe /c ping
00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1280b:$reg: SEE_MASK_NOZONECHECKS 0x510d2:$reg: SEE_MASK_NOZONECHECKS 0x128e3:$msg: Execute ERROR 0x1293f:$msg: Execute ERROR 0x511aa:$msg: Execute ERROR 0x51206:$msg: Execute ERROR 0x127cd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51094:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11dfb:$a1: get_Registry 0x506c2:$a1: get_Registry 0x12efb:$a2: SEE_MASK_NOZONECHECKS 0x517c2:$a2: SEE_MASK_NOZONECHECKS 0x12ff7:$a3: Download ERROR 0x518be:$a3: Download ERROR 0x12ebd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51784:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e4f:$a5: netsh firewall delete allowedprogram " 0x51716:$a5: netsh firewall delete allowedprogram "
00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f2b:$a1: netsh firewall add allowedprogram 0x517f2:$a1: netsh firewall add allowedprogram 0x12efb:$a2: SEE_MASK_NOZONECHECKS 0x517c2:$a2: SEE_MASK_NOZONECHECKS 0x131a5:$b1: [TAP] 0x51a6c:$b1: [TAP] 0x12ebd:$c3: cmd.exe /c ping 0x51784:$c3: cmd.exe /c ping
00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12efb:$reg: SEE_MASK_NOZONECHECKS 0x517c2:$reg: SEE_MASK_NOZONECHECKS 0x12fd3:$msg: Execute ERROR 0x1302f:$msg: Execute ERROR 0x5189a:$msg: Execute ERROR 0x518f6:$msg: Execute ERROR 0x12ebd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51784:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x104b2:$a1: get_Registry 0x115b2:$a2: SEE_MASK_NOZONECHECKS 0x116ae:$a3: Download ERROR 0x11574:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11506:$a5: netsh firewall delete allowedprogram "
00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x115e2:$a1: netsh firewall add allowedprogram 0x115b2:$a2: SEE_MASK_NOZONECHECKS 0x1185c:$b1: [TAP] 0x11574:$c3: cmd.exe /c ping
00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x115b2:$reg: SEE_MASK_NOZONECHECKS 0x1168a:$msg: Execute ERROR 0x116e6:$msg: Execute ERROR 0x11574:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1159a:$a1: get_Registry 0x1269a:$a2: SEE_MASK_NOZONECHECKS 0x12796:$a3: Download ERROR 0x1265c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x125ee:$a5: netsh firewall delete allowedprogram "
00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x126ca:$a1: netsh firewall add allowedprogram 0x1269a:$a2: SEE_MASK_NOZONECHECKS 0x12944:$b1: [TAP] 0x1265c:$c3: cmd.exe /c ping
00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1269a:$reg: SEE_MASK_NOZONECHECKS 0x12772:$msg: Execute ERROR 0x127ce:$msg: Execute ERROR 0x1265c:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e3b:$a1: get_Registry 0x50702:$a1: get_Registry 0x12f3b:$a2: SEE_MASK_NOZONECHECKS 0x51802:$a2: SEE_MASK_NOZONECHECKS 0x13037:$a3: Download ERROR 0x518fe:$a3: Download ERROR 0x12efd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e8f:$a5: netsh firewall delete allowedprogram " 0x51756:$a5: netsh firewall delete allowedprogram "
00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f6b:$a1: netsh firewall add allowedprogram 0x51832:$a1: netsh firewall add allowedprogram 0x12f3b:$a2: SEE_MASK_NOZONECHECKS 0x51802:$a2: SEE_MASK_NOZONECHECKS 0x131e5:$b1: [TAP] 0x51aac:$b1: [TAP] 0x12efd:$c3: cmd.exe /c ping 0x517c4:$c3: cmd.exe /c ping
00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f3b:$reg: SEE_MASK_NOZONECHECKS 0x51802:$reg: SEE_MASK_NOZONECHECKS 0x13013:$msg: Execute ERROR 0x1306f:$msg: Execute ERROR 0x518da:$msg: Execute ERROR 0x51936:$msg: Execute ERROR 0x12efd:$ping: cmd.exe /c ping 0 -n 2 & del 0x517c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000019.00000002.2002193178.000000000042B000.00000004.00000001.01000000.0000001C.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10922:$a1: get_Registry 0x11a22:$a2: SEE_MASK_NOZONECHECKS 0x11b1e:$a3: Download ERROR 0x119e4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11976:$a5: netsh firewall delete allowedprogram "
0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a52:$a1: netsh firewall add allowedprogram 0x11a22:$a2: SEE_MASK_NOZONECHECKS 0x11ccc:$b1: [TAP] 0x119e4:$c3: cmd.exe /c ping
0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a22:$reg: SEE_MASK_NOZONECHECKS 0x11afa:$msg: Execute ERROR 0x11b56:$msg: Execute ERROR 0x119e4:$ping: cmd.exe /c ping 0 -n 2 & del
0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a33:$a1: get_Registry 0x502fa:$a1: get_Registry 0x12b33:$a2: SEE_MASK_NOZONECHECKS 0x513fa:$a2: SEE_MASK_NOZONECHECKS 0x12c2f:$a3: Download ERROR 0x514f6:$a3: Download ERROR 0x12af5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a87:$a5: netsh firewall delete allowedprogram " 0x5134e:$a5: netsh firewall delete allowedprogram "
0000001D.00000002.2007198128.000000000042B000.00000004.00000001.01000000.00000020.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b63:$a1: netsh firewall add allowedprogram 0x5142a:$a1: netsh firewall add allowedprogram 0x12b33:$a2: SEE_MASK_NOZONECHECKS 0x513fa:$a2: SEE_MASK_NOZONECHECKS 0x12ddd:$b1: [TAP] 0x516a4:$b1: [TAP] 0x12af5:$c3: cmd.exe /c ping 0x513bc:$c3: cmd.exe /c ping
0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b33:$reg: SEE_MASK_NOZONECHECKS 0x513fa:$reg: SEE_MASK_NOZONECHECKS 0x12c0b:$msg: Execute ERROR 0x12c67:$msg: Execute ERROR 0x514d2:$msg: Execute ERROR 0x5152e:$msg: Execute ERROR 0x12af5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e03:$a1: get_Registry 0x506ca:$a1: get_Registry 0x12f03:$a2: SEE_MASK_NOZONECHECKS 0x517ca:$a2: SEE_MASK_NOZONECHECKS 0x12fff:$a3: Download ERROR 0x518c6:$a3: Download ERROR 0x12ec5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5178c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e57:$a5: netsh firewall delete allowedprogram " 0x5171e:$a5: netsh firewall delete allowedprogram "
00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f33:$a1: netsh firewall add allowedprogram 0x517fa:$a1: netsh firewall add allowedprogram 0x12f03:$a2: SEE_MASK_NOZONECHECKS 0x517ca:$a2: SEE_MASK_NOZONECHECKS 0x131ad:$b1: [TAP] 0x51a74:$b1: [TAP] 0x12ec5:$c3: cmd.exe /c ping 0x5178c:$c3: cmd.exe /c ping
00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f03:$reg: SEE_MASK_NOZONECHECKS 0x517ca:$reg: SEE_MASK_NOZONECHECKS 0x12fdb:$msg: Execute ERROR 0x13037:$msg: Execute ERROR 0x518a2:$msg: Execute ERROR 0x518fe:$msg: Execute ERROR 0x12ec5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5178c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1170b:$a1: get_Registry 0x4ffd2:$a1: get_Registry 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12907:$a3: Download ERROR 0x511ce:$a3: Download ERROR 0x127cd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51094:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1275f:$a5: netsh firewall delete allowedprogram " 0x51026:$a5: netsh firewall delete allowedprogram "
0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1283b:$a1: netsh firewall add allowedprogram 0x51102:$a1: netsh firewall add allowedprogram 0x1280b:$a2: SEE_MASK_NOZONECHECKS 0x510d2:$a2: SEE_MASK_NOZONECHECKS 0x12ab5:$b1: [TAP] 0x5137c:$b1: [TAP] 0x127cd:$c3: cmd.exe /c ping 0x51094:$c3: cmd.exe /c ping
0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1280b:$reg: SEE_MASK_NOZONECHECKS 0x510d2:$reg: SEE_MASK_NOZONECHECKS 0x128e3:$msg: Execute ERROR 0x1293f:$msg: Execute ERROR 0x511aa:$msg: Execute ERROR 0x51206:$msg: Execute ERROR 0x127cd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51094:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11ccb:$a1: get_Registry 0x50592:$a1: get_Registry 0x12dcb:$a2: SEE_MASK_NOZONECHECKS 0x51692:$a2: SEE_MASK_NOZONECHECKS 0x12ec7:$a3: Download ERROR 0x5178e:$a3: Download ERROR 0x12d8d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51654:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12d1f:$a5: netsh firewall delete allowedprogram " 0x515e6:$a5: netsh firewall delete allowedprogram "
00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12dfb:$a1: netsh firewall add allowedprogram 0x516c2:$a1: netsh firewall add allowedprogram 0x12dcb:$a2: SEE_MASK_NOZONECHECKS 0x51692:$a2: SEE_MASK_NOZONECHECKS 0x13075:$b1: [TAP] 0x5193c:$b1: [TAP] 0x12d8d:$c3: cmd.exe /c ping 0x51654:$c3: cmd.exe /c ping
00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12dcb:$reg: SEE_MASK_NOZONECHECKS 0x51692:$reg: SEE_MASK_NOZONECHECKS 0x12ea3:$msg: Execute ERROR 0x12eff:$msg: Execute ERROR 0x5176a:$msg: Execute ERROR 0x517c6:$msg: Execute ERROR 0x12d8d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51654:$ping: cmd.exe /c ping 0 -n 2 & del
00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1181b:$a1: get_Registry 0x500e2:$a1: get_Registry 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12a17:$a3: Download ERROR 0x512de:$a3: Download ERROR 0x128dd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x511a4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1286f:$a5: netsh firewall delete allowedprogram " 0x51136:$a5: netsh firewall delete allowedprogram "
00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1294b:$a1: netsh firewall add allowedprogram 0x51212:$a1: netsh firewall add allowedprogram 0x1291b:$a2: SEE_MASK_NOZONECHECKS 0x511e2:$a2: SEE_MASK_NOZONECHECKS 0x12bc5:$b1: [TAP] 0x5148c:$b1: [TAP] 0x128dd:$c3: cmd.exe /c ping 0x511a4:$c3: cmd.exe /c ping
00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1291b:$reg: SEE_MASK_NOZONECHECKS 0x511e2:$reg: SEE_MASK_NOZONECHECKS 0x129f3:$msg: Execute ERROR 0x12a4f:$msg: Execute ERROR 0x512ba:$msg: Execute ERROR 0x51316:$msg: Execute ERROR 0x128dd:$ping: cmd.exe /c ping 0 -n 2 & del 0x511a4:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11302:$a1: get_Registry 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x124fe:$a3: Download ERROR 0x123c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12356:$a5: netsh firewall delete allowedprogram "
00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12432:$a1: netsh firewall add allowedprogram 0x12402:$a2: SEE_MASK_NOZONECHECKS 0x126ac:$b1: [TAP] 0x123c4:$c3: cmd.exe /c ping
00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12402:$reg: SEE_MASK_NOZONECHECKS 0x124da:$msg: Execute ERROR 0x12536:$msg: Execute ERROR 0x123c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11253:$a1: get_Registry 0x4fb1a:$a1: get_Registry 0x12353:$a2: SEE_MASK_NOZONECHECKS 0x50c1a:$a2: SEE_MASK_NOZONECHECKS 0x1244f:$a3: Download ERROR 0x50d16:$a3: Download ERROR 0x12315:$a4: cmd.exe /c ping 0 -n 2 & del " 0x50bdc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x122a7:$a5: netsh firewall delete allowedprogram " 0x50b6e:$a5: netsh firewall delete allowedprogram "
00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12383:$a1: netsh firewall add allowedprogram 0x50c4a:$a1: netsh firewall add allowedprogram 0x12353:$a2: SEE_MASK_NOZONECHECKS 0x50c1a:$a2: SEE_MASK_NOZONECHECKS 0x125fd:$b1: [TAP] 0x50ec4:$b1: [TAP] 0x12315:$c3: cmd.exe /c ping 0x50bdc:$c3: cmd.exe /c ping
00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12353:$reg: SEE_MASK_NOZONECHECKS 0x50c1a:$reg: SEE_MASK_NOZONECHECKS 0x1242b:$msg: Execute ERROR 0x12487:$msg: Execute ERROR 0x50cf2:$msg: Execute ERROR 0x50d4e:$msg: Execute ERROR 0x12315:$ping: cmd.exe /c ping 0 -n 2 & del 0x50bdc:$ping: cmd.exe /c ping 0 -n 2 & del
00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e33:$a1: get_Registry 0x506fa:$a1: get_Registry 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x1302f:$a3: Download ERROR 0x518f6:$a3: Download ERROR 0x12ef5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e87:$a5: netsh firewall delete allowedprogram " 0x5174e:$a5: netsh firewall delete allowedprogram "
0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f63:$a1: netsh firewall add allowedprogram 0x5182a:$a1: netsh firewall add allowedprogram 0x12f33:$a2: SEE_MASK_NOZONECHECKS 0x517fa:$a2: SEE_MASK_NOZONECHECKS 0x131dd:$b1: [TAP] 0x51aa4:$b1: [TAP] 0x12ef5:$c3: cmd.exe /c ping 0x517bc:$c3: cmd.exe /c ping
0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f33:$reg: SEE_MASK_NOZONECHECKS 0x517fa:$reg: SEE_MASK_NOZONECHECKS 0x1300b:$msg: Execute ERROR 0x13067:$msg: Execute ERROR 0x518d2:$msg: Execute ERROR 0x5192e:$msg: Execute ERROR 0x12ef5:$ping: cmd.exe /c ping 0 -n 2 & del 0x517bc:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: Xtks4KI16J.exe PID: 1620	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Xtks4KI16J.exe PID: 1620	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ikgcna32.exe PID: 5228	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ikgcna32.exe PID: 5228	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Idogffko.exe PID: 4484	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Idogffko.exe PID: 4484	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ipfhkgac.exe PID: 3300	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ipfhkgac.exe PID: 3300	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ikklipqi.exe PID: 5824	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ikklipqi.exe PID: 5824	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jddqaf32.exe PID: 4564	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jddqaf32.exe PID: 4564	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jjqijmeq.exe PID: 3632	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jjqijmeq.exe PID: 3632	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jgdjcadj.exe PID: 2596	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jgdjcadj.exe PID: 2596	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jqmnlf32.exe PID: 6748	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jqmnlf32.exe PID: 6748	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jkbbioja.exe PID: 4280	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jkbbioja.exe PID: 4280	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jbogli32.exe PID: 6008	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jbogli32.exe PID: 6008	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Kjjlpk32.exe PID: 6668	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Kjjlpk32.exe PID: 6668	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Kkjhjn32.exe PID: 7112	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Kkjhjn32.exe PID: 7112	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Khnicb32.exe PID: 7184	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Khnicb32.exe PID: 7184	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Khbbobom.exe PID: 7200	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Khbbobom.exe PID: 7200	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Lbmcmgck.exe PID: 7216	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Lbmcmgck.exe PID: 7216	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Lqbqnc32.exe PID: 7232	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Lqbqnc32.exe PID: 7232	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Lileeqgb.exe PID: 7248	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Lileeqgb.exe PID: 7248	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Lgqbfmlj.exe PID: 7264	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Lgqbfmlj.exe PID: 7264	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mbiciein.exe PID: 7284	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mbiciein.exe PID: 7284	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mnodnfob.exe PID: 7300	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mnodnfob.exe PID: 7300	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mapmoalc.exe PID: 7320	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mapmoalc.exe PID: 7320	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mndmif32.exe PID: 7336	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mndmif32.exe PID: 7336	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mhlaakam.exe PID: 7352	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mhlaakam.exe PID: 7352	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Maefjq32.exe PID: 7368	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Maefjq32.exe PID: 7368	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nbdbdc32.exe PID: 7384	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nbdbdc32.exe PID: 7384	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Naipepdh.exe PID: 7400	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Naipepdh.exe PID: 7400	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nnmpodcb.exe PID: 7416	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nnmpodcb.exe PID: 7416	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nlaqhh32.exe PID: 7432	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nlaqhh32.exe PID: 7432	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Njfmiegc.exe PID: 7448	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Njfmiegc.exe PID: 7448	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Oihnglob.exe PID: 7464	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Oihnglob.exe PID: 7464	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Obbofa32.exe PID: 7480	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Obbofa32.exe PID: 7480	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ooipkb32.exe PID: 7496	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ooipkb32.exe PID: 7496	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Olmpdg32.exe PID: 7512	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Olmpdg32.exe PID: 7512	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Olpmjffk.exe PID: 7532	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Olpmjffk.exe PID: 7532	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Plbiofci.exe PID: 7548	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Plbiofci.exe PID: 7548	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Pkgfpbhq.exe PID: 7572	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Pkgfpbhq.exe PID: 7572	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Poeofa32.exe PID: 7588	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Poeofa32.exe PID: 7588	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Pklpkb32.exe PID: 7604	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Pklpkb32.exe PID: 7604	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Peadik32.exe PID: 7620	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Peadik32.exe PID: 7620	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 427 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Ipfhkgac.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
26.2.Naipepdh.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
11.2.Kjjlpk32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
24.2.Maefjq32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
32.2.Ooipkb32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
30.2.Oihnglob.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
1.2.Ikgcna32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
37.3.Poeofa32.exe.81aabc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
37.3.Poeofa32.exe.81aabc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
37.3.Poeofa32.exe.81aabc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
37.3.Poeofa32.exe.81aabc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
37.3.Poeofa32.exe.81aabc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
37.3.Poeofa32.exe.81aabc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
10.2.Jbogli32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
27.2.Nnmpodcb.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
31.3.Obbofa32.exe.72a3bc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
31.3.Obbofa32.exe.72a3bc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
31.3.Obbofa32.exe.72a3bc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
31.3.Obbofa32.exe.72a3bc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
31.3.Obbofa32.exe.72a3bc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
31.3.Obbofa32.exe.72a3bc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
36.2.Pkgfpbhq.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.3.Mndmif32.exe.6ca364.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
22.3.Mndmif32.exe.6ca364.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
22.3.Mndmif32.exe.6ca364.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
22.3.Mndmif32.exe.6ca364.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
22.3.Mndmif32.exe.6ca364.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
11.3.Kjjlpk32.exe.60a944.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Kjjlpk32.exe.60a944.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
11.3.Kjjlpk32.exe.60a944.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
11.3.Kjjlpk32.exe.60a944.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
11.3.Kjjlpk32.exe.60a944.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
11.3.Kjjlpk32.exe.60a944.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
0.3.Xtks4KI16J.exe.54bf44.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.Xtks4KI16J.exe.54bf44.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
0.3.Xtks4KI16J.exe.54bf44.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
0.3.Xtks4KI16J.exe.54bf44.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
0.3.Xtks4KI16J.exe.54bf44.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.Xtks4KI16J.exe.54bf44.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
4.3.Ikklipqi.exe.64a3cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.3.Ikklipqi.exe.64a3cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
4.3.Ikklipqi.exe.64a3cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
4.3.Ikklipqi.exe.64a3cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
4.3.Ikklipqi.exe.64a3cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
4.3.Ikklipqi.exe.64a3cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
8.2.Jqmnlf32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
11.2.Kjjlpk32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
38.2.Pklpkb32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
6.3.Jjqijmeq.exe.52997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
6.3.Jjqijmeq.exe.52997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
6.3.Jjqijmeq.exe.52997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
6.3.Jjqijmeq.exe.52997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
6.3.Jjqijmeq.exe.52997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
3.3.Ipfhkgac.exe.5d9814.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.3.Ipfhkgac.exe.5d9814.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
3.3.Ipfhkgac.exe.5d9814.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
3.3.Ipfhkgac.exe.5d9814.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
3.3.Ipfhkgac.exe.5d9814.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
12.2.Kkjhjn32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
14.3.Khbbobom.exe.61997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
26.3.Naipepdh.exe.7ba3cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
14.3.Khbbobom.exe.61997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
26.3.Naipepdh.exe.7ba3cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
26.3.Naipepdh.exe.7ba3cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
26.3.Naipepdh.exe.7ba3cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
26.3.Naipepdh.exe.7ba3cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
26.3.Naipepdh.exe.7ba3cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
14.3.Khbbobom.exe.61997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
14.3.Khbbobom.exe.61997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
14.3.Khbbobom.exe.61997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
2.3.Idogffko.exe.5ea36c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.3.Idogffko.exe.5ea36c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
2.3.Idogffko.exe.5ea36c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
2.3.Idogffko.exe.5ea36c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
2.3.Idogffko.exe.5ea36c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
2.3.Idogffko.exe.5ea36c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
18.3.Lgqbfmlj.exe.7aa944.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.3.Lgqbfmlj.exe.7aa944.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
18.3.Lgqbfmlj.exe.7aa944.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
18.3.Lgqbfmlj.exe.7aa944.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
18.3.Lgqbfmlj.exe.7aa944.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
18.3.Lgqbfmlj.exe.7aa944.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
34.3.Olpmjffk.exe.58a6d4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
33.3.Olmpdg32.exe.50997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
34.3.Olpmjffk.exe.58a6d4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
34.3.Olpmjffk.exe.58a6d4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
34.3.Olpmjffk.exe.58a6d4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
34.3.Olpmjffk.exe.58a6d4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
33.3.Olmpdg32.exe.50997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
33.3.Olmpdg32.exe.50997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
33.3.Olmpdg32.exe.50997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
33.3.Olmpdg32.exe.50997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
33.3.Olmpdg32.exe.50997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
19.3.Mbiciein.exe.53a91c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.3.Mbiciein.exe.53a91c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
19.3.Mbiciein.exe.53a91c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
19.3.Mbiciein.exe.53a91c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
19.3.Mbiciein.exe.53a91c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
7.3.Jgdjcadj.exe.56a94c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.3.Jgdjcadj.exe.56a94c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
7.3.Jgdjcadj.exe.56a94c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
7.3.Jgdjcadj.exe.56a94c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
7.3.Jgdjcadj.exe.56a94c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
7.3.Jgdjcadj.exe.56a94c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
5.2.Jddqaf32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
7.2.Jgdjcadj.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
25.2.Nbdbdc32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
21.2.Mapmoalc.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
16.2.Lqbqnc32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
32.3.Ooipkb32.exe.61997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
32.3.Ooipkb32.exe.61997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
32.3.Ooipkb32.exe.61997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
32.3.Ooipkb32.exe.61997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
32.3.Ooipkb32.exe.61997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
18.2.Lgqbfmlj.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
20.3.Mnodnfob.exe.7a925c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.3.Mnodnfob.exe.7a925c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
20.3.Mnodnfob.exe.7a925c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
20.3.Mnodnfob.exe.7a925c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
20.3.Mnodnfob.exe.7a925c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
27.3.Nnmpodcb.exe.61957c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
27.3.Nnmpodcb.exe.61957c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
27.3.Nnmpodcb.exe.61957c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
27.3.Nnmpodcb.exe.61957c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
27.3.Nnmpodcb.exe.61957c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
34.2.Olpmjffk.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
5.3.Jddqaf32.exe.58925c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.3.Jddqaf32.exe.58925c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
5.3.Jddqaf32.exe.58925c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
5.3.Jddqaf32.exe.58925c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
5.3.Jddqaf32.exe.58925c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
37.2.Poeofa32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
3.2.Ipfhkgac.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.2.Mndmif32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
4.2.Ikklipqi.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
13.2.Khnicb32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
17.3.Lileeqgb.exe.69a364.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.3.Lileeqgb.exe.69a364.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
17.3.Lileeqgb.exe.69a364.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
17.3.Lileeqgb.exe.69a364.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
17.3.Lileeqgb.exe.69a364.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
39.2.Peadik32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
17.2.Lileeqgb.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0.2.Xtks4KI16J.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.2.Mndmif32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
33.3.Olmpdg32.exe.50997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
33.3.Olmpdg32.exe.50997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
33.3.Olmpdg32.exe.50997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
33.3.Olmpdg32.exe.50997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
33.3.Olmpdg32.exe.50997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
15.2.Lbmcmgck.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
8.3.Jqmnlf32.exe.4c9754.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.3.Jqmnlf32.exe.4c9754.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
8.3.Jqmnlf32.exe.4c9754.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
8.3.Jqmnlf32.exe.4c9754.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
8.3.Jqmnlf32.exe.4c9754.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
8.3.Jqmnlf32.exe.4c9754.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
1.3.Ikgcna32.exe.5e9814.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.3.Ikgcna32.exe.5e9814.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
1.3.Ikgcna32.exe.5e9814.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
1.3.Ikgcna32.exe.5e9814.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
1.3.Ikgcna32.exe.5e9814.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
1.3.Ikgcna32.exe.5e9814.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
17.3.Lileeqgb.exe.69a364.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.3.Lileeqgb.exe.69a364.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
17.3.Lileeqgb.exe.69a364.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
17.3.Lileeqgb.exe.69a364.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
17.3.Lileeqgb.exe.69a364.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
17.3.Lileeqgb.exe.69a364.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
18.2.Lgqbfmlj.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
25.3.Nbdbdc32.exe.78a94c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
25.3.Nbdbdc32.exe.78a94c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
25.3.Nbdbdc32.exe.78a94c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
25.3.Nbdbdc32.exe.78a94c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
25.3.Nbdbdc32.exe.78a94c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
25.3.Nbdbdc32.exe.78a94c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
5.3.Jddqaf32.exe.58925c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.3.Jddqaf32.exe.58925c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
5.3.Jddqaf32.exe.58925c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
5.3.Jddqaf32.exe.58925c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
5.3.Jddqaf32.exe.58925c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
28.2.Nlaqhh32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
5.3.Jddqaf32.exe.58925c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
8.2.Jqmnlf32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
35.2.Plbiofci.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
36.3.Pkgfpbhq.exe.50a364.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.Pkgfpbhq.exe.50a364.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
36.3.Pkgfpbhq.exe.50a364.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
36.3.Pkgfpbhq.exe.50a364.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
36.3.Pkgfpbhq.exe.50a364.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
36.3.Pkgfpbhq.exe.50a364.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
7.3.Jgdjcadj.exe.56a94c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.3.Jgdjcadj.exe.56a94c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
7.3.Jgdjcadj.exe.56a94c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
7.3.Jgdjcadj.exe.56a94c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
7.3.Jgdjcadj.exe.56a94c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
28.2.Nlaqhh32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
1.2.Ikgcna32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
24.3.Maefjq32.exe.6f9254.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
24.3.Maefjq32.exe.6f9254.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
24.3.Maefjq32.exe.6f9254.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
24.3.Maefjq32.exe.6f9254.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
24.3.Maefjq32.exe.6f9254.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
24.3.Maefjq32.exe.6f9254.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
19.2.Mbiciein.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
34.2.Olpmjffk.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
17.2.Lileeqgb.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
13.3.Khnicb32.exe.64a624.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.3.Khnicb32.exe.64a624.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
13.3.Khnicb32.exe.64a624.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
13.3.Khnicb32.exe.64a624.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
13.3.Khnicb32.exe.64a624.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
13.3.Khnicb32.exe.64a624.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
15.2.Lbmcmgck.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
14.2.Khbbobom.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
35.3.Plbiofci.exe.79997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.Plbiofci.exe.79997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
35.3.Plbiofci.exe.79997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
35.3.Plbiofci.exe.79997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
35.3.Plbiofci.exe.79997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
2.3.Idogffko.exe.5ea36c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.3.Idogffko.exe.5ea36c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
10.3.Jbogli32.exe.5b9254.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.3.Idogffko.exe.5ea36c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
10.3.Jbogli32.exe.5b9254.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
2.3.Idogffko.exe.5ea36c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
2.3.Idogffko.exe.5ea36c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
10.3.Jbogli32.exe.5b9254.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
10.3.Jbogli32.exe.5b9254.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
10.3.Jbogli32.exe.5b9254.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
10.3.Jbogli32.exe.5b9254.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
9.2.Jkbbioja.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
39.2.Peadik32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
27.2.Nnmpodcb.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.2.Njfmiegc.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
13.2.Khnicb32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
36.2.Pkgfpbhq.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.3.Kkjhjn32.exe.50997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.3.Kkjhjn32.exe.50997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
12.3.Kkjhjn32.exe.50997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
12.3.Kkjhjn32.exe.50997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
12.3.Kkjhjn32.exe.50997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
32.3.Ooipkb32.exe.61997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
32.3.Ooipkb32.exe.61997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
32.3.Ooipkb32.exe.61997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
32.3.Ooipkb32.exe.61997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
32.3.Ooipkb32.exe.61997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
32.3.Ooipkb32.exe.61997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
30.2.Oihnglob.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.3.Kkjhjn32.exe.50997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
4.3.Ikklipqi.exe.64a3cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.3.Ikklipqi.exe.64a3cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
4.3.Ikklipqi.exe.64a3cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
4.3.Ikklipqi.exe.64a3cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
4.3.Ikklipqi.exe.64a3cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
20.2.Mnodnfob.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
23.3.Mhlaakam.exe.4dc24c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.3.Mhlaakam.exe.4dc24c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
23.3.Mhlaakam.exe.4dc24c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
23.3.Mhlaakam.exe.4dc24c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
23.3.Mhlaakam.exe.4dc24c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
23.3.Mhlaakam.exe.4dc24c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.3.Mhlaakam.exe.4dc24c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
23.3.Mhlaakam.exe.4dc24c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
23.3.Mhlaakam.exe.4dc24c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
23.3.Mhlaakam.exe.4dc24c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
23.3.Mhlaakam.exe.4dc24c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
24.2.Maefjq32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
2.2.Idogffko.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
19.3.Mbiciein.exe.53a91c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.3.Mbiciein.exe.53a91c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
21.2.Mapmoalc.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
19.3.Mbiciein.exe.53a91c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
19.3.Mbiciein.exe.53a91c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
19.3.Mbiciein.exe.53a91c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
19.3.Mbiciein.exe.53a91c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
33.2.Olmpdg32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
39.3.Peadik32.exe.55bd9c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
39.3.Peadik32.exe.55bd9c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
39.3.Peadik32.exe.55bd9c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
39.3.Peadik32.exe.55bd9c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
39.3.Peadik32.exe.55bd9c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
39.3.Peadik32.exe.55bd9c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
39.3.Peadik32.exe.55bd9c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
39.3.Peadik32.exe.55bd9c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
39.3.Peadik32.exe.55bd9c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
39.3.Peadik32.exe.55bd9c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
39.3.Peadik32.exe.55bd9c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
35.2.Plbiofci.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
7.2.Jgdjcadj.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
37.2.Poeofa32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
19.2.Mbiciein.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
20.3.Mnodnfob.exe.7a925c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.3.Mnodnfob.exe.7a925c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
20.3.Mnodnfob.exe.7a925c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
20.3.Mnodnfob.exe.7a925c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
20.3.Mnodnfob.exe.7a925c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
20.3.Mnodnfob.exe.7a925c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
1.3.Ikgcna32.exe.5e9814.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.3.Ikgcna32.exe.5e9814.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
1.3.Ikgcna32.exe.5e9814.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
1.3.Ikgcna32.exe.5e9814.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
1.3.Ikgcna32.exe.5e9814.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
8.3.Jqmnlf32.exe.4c9754.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
37.3.Poeofa32.exe.81aabc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
37.3.Poeofa32.exe.81aabc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
8.3.Jqmnlf32.exe.4c9754.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
37.3.Poeofa32.exe.81aabc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
37.3.Poeofa32.exe.81aabc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
37.3.Poeofa32.exe.81aabc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
10.2.Jbogli32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
8.3.Jqmnlf32.exe.4c9754.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
8.3.Jqmnlf32.exe.4c9754.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
8.3.Jqmnlf32.exe.4c9754.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
38.2.Pklpkb32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
36.3.Pkgfpbhq.exe.50a364.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.Pkgfpbhq.exe.50a364.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
36.3.Pkgfpbhq.exe.50a364.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
36.3.Pkgfpbhq.exe.50a364.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
36.3.Pkgfpbhq.exe.50a364.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
38.3.Pklpkb32.exe.7aa984.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.Pklpkb32.exe.7aa984.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
38.3.Pklpkb32.exe.7aa984.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
38.3.Pklpkb32.exe.7aa984.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
38.3.Pklpkb32.exe.7aa984.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
15.3.Lbmcmgck.exe.5b957c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.3.Lbmcmgck.exe.5b957c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
15.3.Lbmcmgck.exe.5b957c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
15.3.Lbmcmgck.exe.5b957c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
15.3.Lbmcmgck.exe.5b957c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
14.3.Khbbobom.exe.61997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
14.3.Khbbobom.exe.61997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
14.3.Khbbobom.exe.61997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
14.3.Khbbobom.exe.61997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
14.3.Khbbobom.exe.61997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
14.3.Khbbobom.exe.61997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
27.3.Nnmpodcb.exe.61957c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
27.3.Nnmpodcb.exe.61957c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
27.3.Nnmpodcb.exe.61957c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
27.3.Nnmpodcb.exe.61957c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
27.3.Nnmpodcb.exe.61957c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
27.3.Nnmpodcb.exe.61957c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
10.3.Jbogli32.exe.5b9254.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.3.Kkjhjn32.exe.50997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.3.Kkjhjn32.exe.50997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
10.3.Jbogli32.exe.5b9254.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
10.3.Jbogli32.exe.5b9254.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
10.3.Jbogli32.exe.5b9254.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
10.3.Jbogli32.exe.5b9254.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
12.3.Kkjhjn32.exe.50997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
12.3.Kkjhjn32.exe.50997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
12.3.Kkjhjn32.exe.50997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
34.3.Olpmjffk.exe.58a6d4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
34.3.Olpmjffk.exe.58a6d4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
34.3.Olpmjffk.exe.58a6d4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
34.3.Olpmjffk.exe.58a6d4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
34.3.Olpmjffk.exe.58a6d4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
34.3.Olpmjffk.exe.58a6d4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
11.3.Kjjlpk32.exe.60a944.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Kjjlpk32.exe.60a944.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
11.3.Kjjlpk32.exe.60a944.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
11.3.Kjjlpk32.exe.60a944.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
11.3.Kjjlpk32.exe.60a944.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
29.3.Njfmiegc.exe.66a364.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
29.3.Njfmiegc.exe.66a364.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
30.3.Oihnglob.exe.5b997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
29.3.Njfmiegc.exe.66a364.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
6.2.Jjqijmeq.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
31.2.Obbofa32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.3.Njfmiegc.exe.66a364.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
29.3.Njfmiegc.exe.66a364.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
29.3.Njfmiegc.exe.66a364.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
30.3.Oihnglob.exe.5b997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
9.2.Jkbbioja.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
30.3.Oihnglob.exe.5b997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
30.3.Oihnglob.exe.5b997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
30.3.Oihnglob.exe.5b997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
30.3.Oihnglob.exe.5b997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
4.2.Ikklipqi.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
28.3.Nlaqhh32.exe.6ea3b4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
3.3.Ipfhkgac.exe.5d9814.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.3.Ipfhkgac.exe.5d9814.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
3.3.Ipfhkgac.exe.5d9814.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
3.3.Ipfhkgac.exe.5d9814.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
3.3.Ipfhkgac.exe.5d9814.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
3.3.Ipfhkgac.exe.5d9814.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
9.3.Jkbbioja.exe.7b997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.3.Jkbbioja.exe.7b997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
9.3.Jkbbioja.exe.7b997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
9.3.Jkbbioja.exe.7b997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
9.3.Jkbbioja.exe.7b997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
9.3.Jkbbioja.exe.7b997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
33.2.Olmpdg32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
14.2.Khbbobom.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
6.2.Jjqijmeq.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
15.3.Lbmcmgck.exe.5b957c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.3.Lbmcmgck.exe.5b957c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
15.3.Lbmcmgck.exe.5b957c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
15.3.Lbmcmgck.exe.5b957c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
15.3.Lbmcmgck.exe.5b957c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
15.3.Lbmcmgck.exe.5b957c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
20.2.Mnodnfob.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
24.3.Maefjq32.exe.6f9254.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
24.3.Maefjq32.exe.6f9254.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
24.3.Maefjq32.exe.6f9254.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
24.3.Maefjq32.exe.6f9254.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
24.3.Maefjq32.exe.6f9254.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
0.2.Xtks4KI16J.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
31.2.Obbofa32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
23.2.Mhlaakam.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
35.3.Plbiofci.exe.79997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.Plbiofci.exe.79997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
35.3.Plbiofci.exe.79997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
35.3.Plbiofci.exe.79997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
35.3.Plbiofci.exe.79997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
35.3.Plbiofci.exe.79997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
13.3.Khnicb32.exe.64a624.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.3.Khnicb32.exe.64a624.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
13.3.Khnicb32.exe.64a624.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
13.3.Khnicb32.exe.64a624.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
13.3.Khnicb32.exe.64a624.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
16.2.Lqbqnc32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.2.Kkjhjn32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
2.2.Idogffko.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
32.2.Ooipkb32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
16.3.Lqbqnc32.exe.6c9254.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.3.Lqbqnc32.exe.6c9254.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
16.3.Lqbqnc32.exe.6c9254.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
16.3.Lqbqnc32.exe.6c9254.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
16.3.Lqbqnc32.exe.6c9254.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
16.3.Lqbqnc32.exe.6c9254.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
22.3.Mndmif32.exe.6ca364.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
22.3.Mndmif32.exe.6ca364.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
22.3.Mndmif32.exe.6ca364.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
22.3.Mndmif32.exe.6ca364.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
22.3.Mndmif32.exe.6ca364.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
22.3.Mndmif32.exe.6ca364.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
5.2.Jddqaf32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
26.3.Naipepdh.exe.7ba3cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
26.3.Naipepdh.exe.7ba3cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
26.3.Naipepdh.exe.7ba3cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
26.3.Naipepdh.exe.7ba3cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
26.3.Naipepdh.exe.7ba3cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
25.2.Nbdbdc32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.2.Njfmiegc.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
6.3.Jjqijmeq.exe.52997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
6.3.Jjqijmeq.exe.52997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
6.3.Jjqijmeq.exe.52997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
6.3.Jjqijmeq.exe.52997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
6.3.Jjqijmeq.exe.52997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
6.3.Jjqijmeq.exe.52997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
21.3.Mapmoalc.exe.6d997c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.3.Mapmoalc.exe.6d997c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
21.3.Mapmoalc.exe.6d997c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
21.3.Mapmoalc.exe.6d997c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
21.3.Mapmoalc.exe.6d997c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
21.3.Mapmoalc.exe.6d997c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
21.3.Mapmoalc.exe.6d997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.3.Mapmoalc.exe.6d997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
21.3.Mapmoalc.exe.6d997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
21.3.Mapmoalc.exe.6d997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
21.3.Mapmoalc.exe.6d997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
23.2.Mhlaakam.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.3.Njfmiegc.exe.66a364.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
25.3.Nbdbdc32.exe.78a94c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
29.3.Njfmiegc.exe.66a364.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
25.3.Nbdbdc32.exe.78a94c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
25.3.Nbdbdc32.exe.78a94c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
25.3.Nbdbdc32.exe.78a94c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
25.3.Nbdbdc32.exe.78a94c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
29.3.Njfmiegc.exe.66a364.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
29.3.Njfmiegc.exe.66a364.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
29.3.Njfmiegc.exe.66a364.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
26.2.Naipepdh.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
38.3.Pklpkb32.exe.7aa984.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.Pklpkb32.exe.7aa984.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
38.3.Pklpkb32.exe.7aa984.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
38.3.Pklpkb32.exe.7aa984.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
38.3.Pklpkb32.exe.7aa984.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
38.3.Pklpkb32.exe.7aa984.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
9.3.Jkbbioja.exe.7b997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.3.Jkbbioja.exe.7b997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
31.3.Obbofa32.exe.72a3bc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.3.Jkbbioja.exe.7b997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
9.3.Jkbbioja.exe.7b997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
9.3.Jkbbioja.exe.7b997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
31.3.Obbofa32.exe.72a3bc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
31.3.Obbofa32.exe.72a3bc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
31.3.Obbofa32.exe.72a3bc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
31.3.Obbofa32.exe.72a3bc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
30.3.Oihnglob.exe.5b997c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
30.3.Oihnglob.exe.5b997c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
30.3.Oihnglob.exe.5b997c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
30.3.Oihnglob.exe.5b997c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
30.3.Oihnglob.exe.5b997c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
16.3.Lqbqnc32.exe.6c9254.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.3.Lqbqnc32.exe.6c9254.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
16.3.Lqbqnc32.exe.6c9254.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
16.3.Lqbqnc32.exe.6c9254.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
16.3.Lqbqnc32.exe.6c9254.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
Click to see the 515 entries

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {79FEACFF-FFCE-815E-A900-316290B5B738}, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Xtks4KI16J.exe, ProcessId: 1620, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Xtks4KI16J.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://color-bank.ru/index.php	URL Reputation: Label: malware
Source: http://parex-bank.ru/index.htm	URL Reputation: Label: malware
Source: http://kidos-bank.ru/index.htm	URL Reputation: Label: malware
Source: http://ros-neftbank.ru/index.php	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\Ikgcna32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Gjdogi32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cacope32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Jebgbcgg.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Hdlllf32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Jbogli32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Epibpnek.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Biiggc32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Beofla32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gedgjccb.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Dajmooqf.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Idogffko.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Egobfg32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ckllojnq.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Jdhlnhlh.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Dblkhkce.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Glblcojl.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Fpianhmj.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Hilimkhd.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Hiiodl32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cmjgejad.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ekicli32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Alqeloga.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ghhjiigd.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Jccpao32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Efqdik32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen

Yara detected Njrat

Source: Yara match	File source: Xtks4KI16J.exe, type: SAMPLE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Peadik32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lileeqgb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pkgfpbhq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olpmjffk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkjhjn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lbmcmgck.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olmpdg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jqmnlf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mndmif32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Njfmiegc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mapmoalc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbiciein.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Poeofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jjqijmeq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pojhapkb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnmpodcb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lqbqnc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jbogli32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Naipepdh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lgqbfmlj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikgcna32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nbdbdc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khnicb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhlaakam.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikklipqi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jddqaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Idogffko.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ipfhkgac.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plbiofci.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khbbobom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jgdjcadj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ooipkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obbofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nlaqhh32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kjjlpk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oihnglob.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pklpkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jkbbioja.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Maefjq32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mnodnfob.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\Ikgcna32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gjdogi32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cacope32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jebgbcgg.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Hdlllf32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jbogli32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Epibpnek.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Biiggc32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Beofla32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gedgjccb.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dajmooqf.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Idogffko.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Egobfg32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ckllojnq.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jdhlnhlh.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dblkhkce.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Glblcojl.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fpianhmj.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Hilimkhd.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Hiiodl32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cmjgejad.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekicli32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Alqeloga.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ghhjiigd.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jccpao32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efqdik32.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Xtks4KI16J.exe

Joe Sandbox ML: detected

Source: Xtks4KI16J.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then cmp eax, ebx	0_2_00430000
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then jne 00430024h	0_2_00430000
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then je 00430084h	0_2_00430000
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then div edi	0_2_0043009C
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then je 00403D01h	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xor dword ptr [eax], ecx	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then inc eax	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then jne 00403CD7h	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov eax, 0042B000h	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then je 00403D37h	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xor dword ptr [eax], ecx	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then add eax, 04h	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then jne 00403D1Fh	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then popad	0_2_00403CB3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	0_2_00403D50
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then add ebx, 04h	0_2_00403D50
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then jl 00403D74h	0_2_00403D50
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then add eax, 0Ch	0_2_00403D50
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then popad	0_2_00403D50
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then pop edi	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov ebx, 00408F6Ch	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then sub ecx, eax	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xor edx, edx	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then push eax	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then div edi	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xchg eax, ecx	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then add eax, edi	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then loop 00403E23h	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov eax, 0042B000h	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov ebx, 0042E3D0h	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then sub ecx, eax	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xor edx, edx	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then push eax	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then div edi	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then xchg eax, ecx	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then add eax, edi	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then loop 00403E83h	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then popad	0_2_00403DC3
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then mov eax, 00401000h	0_2_0042FE60
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then cmp eax, ebx	0_2_0042FE60
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then jne 00430024h	0_2_0042FE60
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: 4x nop then je 00430084h	0_2_0042FE60
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov eax, ecx	1_2_00430068
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then div edi	1_2_00430068
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then call 0043000Ch	1_2_00430000
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then je 00403D01h	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then inc eax	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then jne 00403CD7h	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then je 00403D37h	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then add eax, 04h	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then jne 00403D1Fh	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then popad	1_2_00403CB3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	1_2_00403D50
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then add ebx, 04h	1_2_00403D50
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then jl 00403D74h	1_2_00403D50
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then add eax, 0Ch	1_2_00403D50
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then popad	1_2_00403D50
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then pop edi	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then loop 00403E23h	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then loop 00403E83h	1_2_00403DC3
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: 4x nop then popad	1_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then push 00000004h	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then je 00430072h	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov eax, ecx	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, edi	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then loop 00430060h	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ecx, ebx	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then jmp 00401219h	2_2_00430000
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then je 00403D01h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then inc eax	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then jne 00403CD7h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then je 00403D37h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, 04h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then jne 00403D1Fh	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then popad	2_2_00403CB3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	2_2_00403D50
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add ebx, 04h	2_2_00403D50
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then jl 00403D74h	2_2_00403D50
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, 0Ch	2_2_00403D50
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then popad	2_2_00403D50
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then pop edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then loop 00403E23h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then loop 00403E83h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then popad	2_2_00403DC3
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then push 00000004h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then je 00430072h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov eax, ecx	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then add eax, edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then loop 00430060h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then mov ecx, ebx	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: 4x nop then jmp 00401219h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor dword ptr [eax], esi	3_2_00430073
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then jmp 00401219h	3_2_00430073
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then call 0043000Ch	3_2_00430000
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, 00403DAAh	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov edx, dword ptr [eax+08h]	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor dword ptr [ebx], edx	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then cmp ebx, ecx	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, 0Ch	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then jne 0043001Eh	3_2_0043000C
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then je 00403D01h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then inc eax	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then jne 00403CD7h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then je 00403D37h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, 04h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then jne 00403D1Fh	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then popad	3_2_00403CB3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	3_2_00403D50
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add ebx, 04h	3_2_00403D50
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then jl 00403D74h	3_2_00403D50
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, 0Ch	3_2_00403D50
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then popad	3_2_00403D50
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then pop edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov ebx, 00408F6Ch	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then loop 00403E23h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then mov ebx, 0042E3D0h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then loop 00403E83h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: 4x nop then popad	3_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then inc eax	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then cmp eax, ebx	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then je 00430084h	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, 04h	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then cmp eax, ebx	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jne 0043006Ch	4_2_00430000
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor dword ptr [eax], esi	4_2_0043009D
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jmp 00401219h	4_2_0043009D
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then je 00403D01h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then inc eax	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jne 00403CD7h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then je 00403D37h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, 04h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jne 00403D1Fh	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then popad	4_2_00403CB3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	4_2_00403D50
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add ebx, 04h	4_2_00403D50
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jl 00403D74h	4_2_00403D50
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, 0Ch	4_2_00403D50
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then popad	4_2_00403D50
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then pop edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov ebx, 00408F6Ch	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then loop 00403E23h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov ebx, 0042E3D0h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then loop 00403E83h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then popad	4_2_00403DC3
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then inc eax	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then cmp eax, ebx	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then je 00430084h	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then add eax, 04h	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then cmp eax, ebx	4_2_0042FE60
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: 4x nop then jne 0043006Ch	4_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then pushad	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ecx, ebx	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then loop 00430060h	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then je 004300D2h	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then div edi	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov esi, 61C62A2Eh	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, edi	5_2_00430000
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then je 00403D01h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then inc eax	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then jne 00403CD7h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then je 00403D37h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, 04h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then jne 00403D1Fh	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then popad	5_2_00403CB3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	5_2_00403D50
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add ebx, 04h	5_2_00403D50
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then jl 00403D74h	5_2_00403D50
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, 0Ch	5_2_00403D50
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then popad	5_2_00403D50
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then pop edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then loop 00403E23h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then loop 00403E83h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then popad	5_2_00403DC3
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov ecx, ebx	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then loop 00430060h	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then je 004300D2h	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then div edi	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then mov esi, 61C62A2Eh	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: 4x nop then add eax, edi	5_2_0042FE60
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, 00403DAAh	6_2_0043000C
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	6_2_0043000C
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov edx, dword ptr [eax+08h]	6_2_0043000C
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, 0Ch	6_2_0043000C
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then je 00403D01h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then inc eax	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then jne 00403CD7h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then je 00403D37h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, 04h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then jne 00403D1Fh	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then popad	6_2_00403CB3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	6_2_00403D50
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add ebx, 04h	6_2_00403D50
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then jl 00403D74h	6_2_00403D50
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, 0Ch	6_2_00403D50
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then popad	6_2_00403D50
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then pop edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov ebx, 00408F6Ch	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then loop 00403E23h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then mov ebx, 0042E3D0h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then loop 00403E83h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: 4x nop then popad	6_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then inc eax	7_2_00430000
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then cmp eax, ebx	7_2_00430000
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then test eax, eax	7_2_00430000
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then div edi	7_2_0043009E
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov esi, 61C62A2Eh	7_2_0043009E
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add eax, edi	7_2_0043009E
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then je 00403D01h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then inc eax	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then jne 00403CD7h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then je 00403D37h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add eax, 04h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then jne 00403D1Fh	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then popad	7_2_00403CB3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	7_2_00403D50
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add ebx, 04h	7_2_00403D50
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then jl 00403D74h	7_2_00403D50
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add eax, 0Ch	7_2_00403D50
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then popad	7_2_00403D50
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then pop edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov ebx, 00408F6Ch	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then loop 00403E23h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then mov ebx, 0042E3D0h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then loop 00403E83h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then popad	7_2_00403DC3
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then inc eax	7_2_0042FE60
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then cmp eax, ebx	7_2_0042FE60
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: 4x nop then test eax, eax	7_2_0042FE60
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then pop edi	8_2_00430000
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xchg eax, ecx	8_2_00430000
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then loop 004300C0h	8_2_00430000
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then je 00403D01h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then inc eax	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then jne 00403CD7h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then je 00403D37h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then add eax, 04h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then jne 00403D1Fh	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then popad	8_2_00403CB3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	8_2_00403D50
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then add ebx, 04h	8_2_00403D50
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then jl 00403D74h	8_2_00403D50
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then add eax, 0Ch	8_2_00403D50
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then popad	8_2_00403D50
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then pop edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then loop 00403E23h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then loop 00403E83h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then popad	8_2_00403DC3
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then pop edi	8_2_0042FE60
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then xchg eax, ecx	8_2_0042FE60
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: 4x nop then loop 004300C0h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then loop 004300C0h	9_2_00430071
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xor dword ptr [ebx], edx	9_2_0043000C
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add ebx, 04h	9_2_0043000C
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then jne 0043001Eh	9_2_0043000C
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then je 00403D01h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then inc eax	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then jne 00403CD7h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then je 00403D37h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add eax, 04h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then jne 00403D1Fh	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then popad	9_2_00403CB3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	9_2_00403D50
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add ebx, 04h	9_2_00403D50
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then jl 00403D74h	9_2_00403D50
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add eax, 0Ch	9_2_00403D50
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then popad	9_2_00403D50
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then pop edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then mov ebx, 00408F6Ch	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then loop 00403E23h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then mov ebx, 0042E3D0h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then loop 00403E83h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: 4x nop then popad	9_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then pop edi	10_2_00430000
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_00430000
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov eax, ecx	10_2_00430000
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor edx, edx	10_2_00430000
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then je 00403D01h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then inc eax	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then jne 00403CD7h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then je 00403D37h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then add eax, 04h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then jne 00403D1Fh	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then popad	10_2_00403CB3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	10_2_00403D50
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then add ebx, 04h	10_2_00403D50
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then jl 00403D74h	10_2_00403D50
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then add eax, 0Ch	10_2_00403D50
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then popad	10_2_00403D50
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then pop edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then loop 00403E23h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then loop 00403E83h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then popad	10_2_00403DC3
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then pop edi	10_2_0042FE60
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then mov eax, ecx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: 4x nop then xor edx, edx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then cmp eax, ebx	11_2_00430000
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00430000
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then add eax, 04h	11_2_00430000
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then jmp 00401219h	11_2_00430000
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then je 00403D01h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then inc eax	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then jne 00403CD7h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then je 00403D37h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then add eax, 04h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then jne 00403D1Fh	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then popad	11_2_00403CB3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	11_2_00403D50
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then add ebx, 04h	11_2_00403D50
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then jl 00403D74h	11_2_00403D50
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then add eax, 0Ch	11_2_00403D50
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then popad	11_2_00403D50
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then pop edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	11_2_00403DC3

Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://asechka.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://color-bank.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://crutop.nu
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://crutop.nu/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://crutop.nu/index.php
Source: Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe, 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Kjjlpk32.exe, 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Kkjhjn32.exe, 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Khnicb32.exe, 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Khbbobom.exe, 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Lbmcmgck.exe, 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Lqbqnc32.exe, 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Lileeqgb.exe, 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Lgqbfmlj.exe, 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Mbiciein.exe, 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Mnodnfob.exe, 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru
Source: Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe, 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Kjjlpk32.exe, 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Kkjhjn32.exe, 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Khnicb32.exe, 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Khbbobom.exe, 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Lbmcmgck.exe, 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Lqbqnc32.exe, 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Lileeqgb.exe, 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Lgqbfmlj.exe, 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Mbiciein.exe, 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Mnodnfob.exe, 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nuAWM
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://crutop.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://crutop.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://cvv.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://cvv.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://devx.nm.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://fethard.biz/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://fethard.biz/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://filesearch.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://fuck.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://gaz-prom.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://goldensand.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://hackers.lv/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://kadet.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://kavkaz.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://kidos-bank.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://konfiskat.org/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://ldark.nm.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://lovingod.host.sk/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://mazafaka.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://mazafaka.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://parex-bank.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://potleaf.chat.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://promo.ru/index.htm
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://ros-neftbank.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://trojan.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://www.redline.ru/index.php
Source: Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	String found in binary or memory: http://xware.cjb.net/index.htm

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Xtks4KI16J.exe, type: SAMPLE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Peadik32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lileeqgb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pkgfpbhq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olpmjffk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkjhjn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lbmcmgck.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olmpdg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jqmnlf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mndmif32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Njfmiegc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mapmoalc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbiciein.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Poeofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jjqijmeq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pojhapkb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnmpodcb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lqbqnc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jbogli32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Naipepdh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lgqbfmlj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikgcna32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nbdbdc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khnicb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhlaakam.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikklipqi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jddqaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Idogffko.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ipfhkgac.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plbiofci.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khbbobom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jgdjcadj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ooipkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obbofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nlaqhh32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kjjlpk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oihnglob.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pklpkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jkbbioja.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Maefjq32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mnodnfob.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

PE file has a writeable .text section

Source: Xtks4KI16J.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ikgcna32.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Idogffko.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ipfhkgac.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ikklipqi.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jddqaf32.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jjqijmeq.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jgdjcadj.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jqmnlf32.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jkbbioja.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jbogli32.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kjjlpk32.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkjhjn32.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Khnicb32.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Khbbobom.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Lbmcmgck.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Lqbqnc32.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Lileeqgb.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Lgqbfmlj.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mbiciein.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mnodnfob.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mapmoalc.exe.20.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mndmif32.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mhlaakam.exe.22.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Maefjq32.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nbdbdc32.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Naipepdh.exe.25.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nnmpodcb.exe.26.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nlaqhh32.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Njfmiegc.exe.28.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oihnglob.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Obbofa32.exe.30.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ooipkb32.exe.31.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Olmpdg32.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Olpmjffk.exe.33.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plbiofci.exe.34.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pkgfpbhq.exe.35.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Poeofa32.exe.36.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pklpkb32.exe.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Peadik32.exe.38.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pojhapkb.exe.39.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Ikgcna32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Ikgcna32.exe:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Hiiodl32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Idogffko.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Ojkfapce.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Ipfhkgac.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Qelfpmpj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Ikklipqi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Pkdiefem.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Jddqaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Ghhjiigd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Jjqijmeq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Ekicli32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Jgdjcadj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Glblcojl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Jqmnlf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Ppgdmofd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Jkbbioja.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Dblkhkce.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Jbogli32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Cacope32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Kjjlpk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Egobfg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Kkjhjn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Gedgjccb.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Khnicb32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Jdhlnhlh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Khbbobom.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Fpianhmj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Lbmcmgck.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Cmjgejad.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Lqbqnc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Moqmapgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Lileeqgb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Beofla32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Lgqbfmlj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Pmallabk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Mbiciein.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Oelbhifg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Mnodnfob.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Hdlllf32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Mapmoalc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Jebgbcgg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mndmif32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mmppcahg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Mhlaakam.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Ledhoq32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Maefjq32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Epibpnek.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Nbdbdc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Dajmooqf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Naipepdh.exe
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Ckllojnq.dll
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Nnmpodcb.exe
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Biiggc32.dll
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Nlaqhh32.exe
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Pnnifl32.dll
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Njfmiegc.exe
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Jccpao32.dll
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Oihnglob.exe
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Efqdik32.dll
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Obbofa32.exe
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Hilimkhd.dll
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Ooipkb32.exe
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Jlihgcil.dll
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Olmpdg32.exe
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Mnjfhgoc.dll
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Olpmjffk.exe
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Nghjeepc.dll
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Plbiofci.exe
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Alqeloga.dll
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Pkgfpbhq.exe
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Jpjjpdfj.dll
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Poeofa32.exe
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Gjdogi32.dll
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Pklpkb32.exe
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Ocnhkj32.dll
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Peadik32.exe
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Ndbcmg32.dll
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Pojhapkb.exe
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Omfmbkgb.dll

Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Idogffko.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Obbofa32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Obbofa32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Khnicb32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Khnicb32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mbiciein.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mbiciein.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Peadik32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Peadik32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jbogli32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oihnglob.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oihnglob.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Khbbobom.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Khbbobom.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plbiofci.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plbiofci.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Poeofa32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Poeofa32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mndmif32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mndmif32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Maefjq32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Maefjq32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Naipepdh.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Naipepdh.exe	Code function: String function: 00408F18 appears 42 times

Source: Xtks4KI16J.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Xtks4KI16J.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.evad.winEXE@80/81@0/0

Source: Xtks4KI16J.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Xtks4KI16J.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Xtks4KI16J.exe

File read: C:\Users\user\Desktop\Xtks4KI16J.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xtks4KI16J.exe "C:\Users\user\Desktop\Xtks4KI16J.exe"
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Process created: C:\Windows\SysWOW64\Ikgcna32.exe C:\Windows\system32\Ikgcna32.exe
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Process created: C:\Windows\SysWOW64\Idogffko.exe C:\Windows\system32\Idogffko.exe
Source: C:\Windows\SysWOW64\Idogffko.exe	Process created: C:\Windows\SysWOW64\Ipfhkgac.exe C:\Windows\system32\Ipfhkgac.exe
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Process created: C:\Windows\SysWOW64\Ikklipqi.exe C:\Windows\system32\Ikklipqi.exe
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Process created: C:\Windows\SysWOW64\Jddqaf32.exe C:\Windows\system32\Jddqaf32.exe
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Process created: C:\Windows\SysWOW64\Jjqijmeq.exe C:\Windows\system32\Jjqijmeq.exe
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Process created: C:\Windows\SysWOW64\Jgdjcadj.exe C:\Windows\system32\Jgdjcadj.exe
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Process created: C:\Windows\SysWOW64\Jqmnlf32.exe C:\Windows\system32\Jqmnlf32.exe
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Process created: C:\Windows\SysWOW64\Jkbbioja.exe C:\Windows\system32\Jkbbioja.exe
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Process created: C:\Windows\SysWOW64\Jbogli32.exe C:\Windows\system32\Jbogli32.exe
Source: C:\Windows\SysWOW64\Jbogli32.exe	Process created: C:\Windows\SysWOW64\Kjjlpk32.exe C:\Windows\system32\Kjjlpk32.exe
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Process created: C:\Windows\SysWOW64\Kkjhjn32.exe C:\Windows\system32\Kkjhjn32.exe
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Process created: C:\Windows\SysWOW64\Khnicb32.exe C:\Windows\system32\Khnicb32.exe
Source: C:\Windows\SysWOW64\Khnicb32.exe	Process created: C:\Windows\SysWOW64\Khbbobom.exe C:\Windows\system32\Khbbobom.exe
Source: C:\Windows\SysWOW64\Khbbobom.exe	Process created: C:\Windows\SysWOW64\Lbmcmgck.exe C:\Windows\system32\Lbmcmgck.exe
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Process created: C:\Windows\SysWOW64\Lqbqnc32.exe C:\Windows\system32\Lqbqnc32.exe
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Process created: C:\Windows\SysWOW64\Lileeqgb.exe C:\Windows\system32\Lileeqgb.exe
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Process created: C:\Windows\SysWOW64\Lgqbfmlj.exe C:\Windows\system32\Lgqbfmlj.exe
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Process created: C:\Windows\SysWOW64\Mbiciein.exe C:\Windows\system32\Mbiciein.exe
Source: C:\Windows\SysWOW64\Mbiciein.exe	Process created: C:\Windows\SysWOW64\Mnodnfob.exe C:\Windows\system32\Mnodnfob.exe
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Process created: C:\Windows\SysWOW64\Mapmoalc.exe C:\Windows\system32\Mapmoalc.exe
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Process created: C:\Windows\SysWOW64\Mndmif32.exe C:\Windows\system32\Mndmif32.exe
Source: C:\Windows\SysWOW64\Mndmif32.exe	Process created: C:\Windows\SysWOW64\Mhlaakam.exe C:\Windows\system32\Mhlaakam.exe
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Process created: C:\Windows\SysWOW64\Maefjq32.exe C:\Windows\system32\Maefjq32.exe
Source: C:\Windows\SysWOW64\Maefjq32.exe	Process created: C:\Windows\SysWOW64\Nbdbdc32.exe C:\Windows\system32\Nbdbdc32.exe
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Process created: C:\Windows\SysWOW64\Naipepdh.exe C:\Windows\system32\Naipepdh.exe
Source: C:\Windows\SysWOW64\Naipepdh.exe	Process created: C:\Windows\SysWOW64\Nnmpodcb.exe C:\Windows\system32\Nnmpodcb.exe
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Process created: C:\Windows\SysWOW64\Nlaqhh32.exe C:\Windows\system32\Nlaqhh32.exe
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Process created: C:\Windows\SysWOW64\Njfmiegc.exe C:\Windows\system32\Njfmiegc.exe
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Process created: C:\Windows\SysWOW64\Oihnglob.exe C:\Windows\system32\Oihnglob.exe
Source: C:\Windows\SysWOW64\Oihnglob.exe	Process created: C:\Windows\SysWOW64\Obbofa32.exe C:\Windows\system32\Obbofa32.exe
Source: C:\Windows\SysWOW64\Obbofa32.exe	Process created: C:\Windows\SysWOW64\Ooipkb32.exe C:\Windows\system32\Ooipkb32.exe
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Process created: C:\Windows\SysWOW64\Olmpdg32.exe C:\Windows\system32\Olmpdg32.exe
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Process created: C:\Windows\SysWOW64\Olpmjffk.exe C:\Windows\system32\Olpmjffk.exe
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Process created: C:\Windows\SysWOW64\Plbiofci.exe C:\Windows\system32\Plbiofci.exe
Source: C:\Windows\SysWOW64\Plbiofci.exe	Process created: C:\Windows\SysWOW64\Pkgfpbhq.exe C:\Windows\system32\Pkgfpbhq.exe
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Process created: C:\Windows\SysWOW64\Poeofa32.exe C:\Windows\system32\Poeofa32.exe
Source: C:\Windows\SysWOW64\Poeofa32.exe	Process created: C:\Windows\SysWOW64\Pklpkb32.exe C:\Windows\system32\Pklpkb32.exe
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Process created: C:\Windows\SysWOW64\Peadik32.exe C:\Windows\system32\Peadik32.exe
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Process created: C:\Windows\SysWOW64\Ikgcna32.exe C:\Windows\system32\Ikgcna32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Process created: C:\Windows\SysWOW64\Idogffko.exe C:\Windows\system32\Idogffko.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	Process created: C:\Windows\SysWOW64\Ipfhkgac.exe C:\Windows\system32\Ipfhkgac.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Process created: C:\Windows\SysWOW64\Ikklipqi.exe C:\Windows\system32\Ikklipqi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Process created: C:\Windows\SysWOW64\Jddqaf32.exe C:\Windows\system32\Jddqaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Process created: C:\Windows\SysWOW64\Jjqijmeq.exe C:\Windows\system32\Jjqijmeq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Process created: C:\Windows\SysWOW64\Jgdjcadj.exe C:\Windows\system32\Jgdjcadj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Process created: C:\Windows\SysWOW64\Jqmnlf32.exe C:\Windows\system32\Jqmnlf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Process created: C:\Windows\SysWOW64\Jkbbioja.exe C:\Windows\system32\Jkbbioja.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Process created: C:\Windows\SysWOW64\Jbogli32.exe C:\Windows\system32\Jbogli32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Process created: C:\Windows\SysWOW64\Kjjlpk32.exe C:\Windows\system32\Kjjlpk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Process created: C:\Windows\SysWOW64\Kkjhjn32.exe C:\Windows\system32\Kkjhjn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Process created: C:\Windows\SysWOW64\Khnicb32.exe C:\Windows\system32\Khnicb32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	Process created: C:\Windows\SysWOW64\Khbbobom.exe C:\Windows\system32\Khbbobom.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Process created: C:\Windows\SysWOW64\Lbmcmgck.exe C:\Windows\system32\Lbmcmgck.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Process created: C:\Windows\SysWOW64\Lqbqnc32.exe C:\Windows\system32\Lqbqnc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Process created: C:\Windows\SysWOW64\Lileeqgb.exe C:\Windows\system32\Lileeqgb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Process created: C:\Windows\SysWOW64\Lgqbfmlj.exe C:\Windows\system32\Lgqbfmlj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Process created: C:\Windows\SysWOW64\Mbiciein.exe C:\Windows\system32\Mbiciein.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Process created: C:\Windows\SysWOW64\Mnodnfob.exe C:\Windows\system32\Mnodnfob.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Process created: C:\Windows\SysWOW64\Mapmoalc.exe C:\Windows\system32\Mapmoalc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Process created: C:\Windows\SysWOW64\Mndmif32.exe C:\Windows\system32\Mndmif32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Process created: C:\Windows\SysWOW64\Mhlaakam.exe C:\Windows\system32\Mhlaakam.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Process created: C:\Windows\SysWOW64\Maefjq32.exe C:\Windows\system32\Maefjq32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Process created: C:\Windows\SysWOW64\Nbdbdc32.exe C:\Windows\system32\Nbdbdc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Process created: C:\Windows\SysWOW64\Naipepdh.exe C:\Windows\system32\Naipepdh.exe
Source: C:\Windows\SysWOW64\Naipepdh.exe	Process created: C:\Windows\SysWOW64\Nnmpodcb.exe C:\Windows\system32\Nnmpodcb.exe
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Process created: C:\Windows\SysWOW64\Nlaqhh32.exe C:\Windows\system32\Nlaqhh32.exe
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Process created: C:\Windows\SysWOW64\Njfmiegc.exe C:\Windows\system32\Njfmiegc.exe
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Process created: C:\Windows\SysWOW64\Oihnglob.exe C:\Windows\system32\Oihnglob.exe
Source: C:\Windows\SysWOW64\Oihnglob.exe	Process created: C:\Windows\SysWOW64\Obbofa32.exe C:\Windows\system32\Obbofa32.exe
Source: C:\Windows\SysWOW64\Obbofa32.exe	Process created: C:\Windows\SysWOW64\Ooipkb32.exe C:\Windows\system32\Ooipkb32.exe
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Process created: C:\Windows\SysWOW64\Olmpdg32.exe C:\Windows\system32\Olmpdg32.exe
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Process created: C:\Windows\SysWOW64\Olpmjffk.exe C:\Windows\system32\Olpmjffk.exe
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Process created: C:\Windows\SysWOW64\Plbiofci.exe C:\Windows\system32\Plbiofci.exe
Source: C:\Windows\SysWOW64\Plbiofci.exe	Process created: C:\Windows\SysWOW64\Pkgfpbhq.exe C:\Windows\system32\Pkgfpbhq.exe
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Process created: C:\Windows\SysWOW64\Poeofa32.exe C:\Windows\system32\Poeofa32.exe
Source: C:\Windows\SysWOW64\Poeofa32.exe	Process created: C:\Windows\SysWOW64\Pklpkb32.exe C:\Windows\system32\Pklpkb32.exe
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Process created: C:\Windows\SysWOW64\Peadik32.exe C:\Windows\system32\Peadik32.exe
Source: C:\Windows\SysWOW64\Peadik32.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Idogffko.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khnicb32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Naipepdh.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Naipepdh.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Naipepdh.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Naipepdh.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Oihnglob.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Oihnglob.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Oihnglob.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Oihnglob.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Obbofa32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Obbofa32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Obbofa32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Obbofa32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plbiofci.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plbiofci.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plbiofci.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plbiofci.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Poeofa32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Poeofa32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Poeofa32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Poeofa32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Peadik32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Peadik32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Peadik32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Peadik32.exe	Section loaded: ntmarta.dll

Source: initial sample

Static PE information: section where entry point is pointing to: .fldo

Source: Xtks4KI16J.exe	Static PE information: section name: .fldo
Source: Xtks4KI16J.exe	Static PE information: section name: .l1
Source: Ikgcna32.exe.0.dr	Static PE information: section name: .fldo
Source: Ikgcna32.exe.0.dr	Static PE information: section name: .l1
Source: Idogffko.exe.1.dr	Static PE information: section name: .fldo
Source: Idogffko.exe.1.dr	Static PE information: section name: .l1
Source: Ipfhkgac.exe.2.dr	Static PE information: section name: .fldo
Source: Ipfhkgac.exe.2.dr	Static PE information: section name: .l1
Source: Ikklipqi.exe.3.dr	Static PE information: section name: .fldo
Source: Ikklipqi.exe.3.dr	Static PE information: section name: .l1
Source: Jddqaf32.exe.4.dr	Static PE information: section name: .fldo
Source: Jddqaf32.exe.4.dr	Static PE information: section name: .l1
Source: Jjqijmeq.exe.5.dr	Static PE information: section name: .fldo
Source: Jjqijmeq.exe.5.dr	Static PE information: section name: .l1
Source: Jgdjcadj.exe.6.dr	Static PE information: section name: .fldo
Source: Jgdjcadj.exe.6.dr	Static PE information: section name: .l1
Source: Jqmnlf32.exe.7.dr	Static PE information: section name: .fldo
Source: Jqmnlf32.exe.7.dr	Static PE information: section name: .l1
Source: Jkbbioja.exe.8.dr	Static PE information: section name: .fldo
Source: Jkbbioja.exe.8.dr	Static PE information: section name: .l1
Source: Jbogli32.exe.9.dr	Static PE information: section name: .fldo
Source: Jbogli32.exe.9.dr	Static PE information: section name: .l1
Source: Kjjlpk32.exe.10.dr	Static PE information: section name: .fldo
Source: Kjjlpk32.exe.10.dr	Static PE information: section name: .l1
Source: Kkjhjn32.exe.11.dr	Static PE information: section name: .fldo
Source: Kkjhjn32.exe.11.dr	Static PE information: section name: .l1
Source: Khnicb32.exe.12.dr	Static PE information: section name: .fldo
Source: Khnicb32.exe.12.dr	Static PE information: section name: .l1
Source: Khbbobom.exe.13.dr	Static PE information: section name: .fldo
Source: Khbbobom.exe.13.dr	Static PE information: section name: .l1
Source: Lbmcmgck.exe.14.dr	Static PE information: section name: .fldo
Source: Lbmcmgck.exe.14.dr	Static PE information: section name: .l1
Source: Lqbqnc32.exe.15.dr	Static PE information: section name: .fldo
Source: Lqbqnc32.exe.15.dr	Static PE information: section name: .l1
Source: Lileeqgb.exe.16.dr	Static PE information: section name: .fldo
Source: Lileeqgb.exe.16.dr	Static PE information: section name: .l1
Source: Lgqbfmlj.exe.17.dr	Static PE information: section name: .fldo
Source: Lgqbfmlj.exe.17.dr	Static PE information: section name: .l1
Source: Mbiciein.exe.18.dr	Static PE information: section name: .fldo
Source: Mbiciein.exe.18.dr	Static PE information: section name: .l1
Source: Mnodnfob.exe.19.dr	Static PE information: section name: .fldo
Source: Mnodnfob.exe.19.dr	Static PE information: section name: .l1
Source: Mapmoalc.exe.20.dr	Static PE information: section name: .fldo
Source: Mapmoalc.exe.20.dr	Static PE information: section name: .l1
Source: Mndmif32.exe.21.dr	Static PE information: section name: .fldo
Source: Mndmif32.exe.21.dr	Static PE information: section name: .l1
Source: Mhlaakam.exe.22.dr	Static PE information: section name: .fldo
Source: Mhlaakam.exe.22.dr	Static PE information: section name: .l1
Source: Maefjq32.exe.23.dr	Static PE information: section name: .fldo
Source: Maefjq32.exe.23.dr	Static PE information: section name: .l1
Source: Nbdbdc32.exe.24.dr	Static PE information: section name: .fldo
Source: Nbdbdc32.exe.24.dr	Static PE information: section name: .l1
Source: Naipepdh.exe.25.dr	Static PE information: section name: .fldo
Source: Naipepdh.exe.25.dr	Static PE information: section name: .l1
Source: Nnmpodcb.exe.26.dr	Static PE information: section name: .fldo
Source: Nnmpodcb.exe.26.dr	Static PE information: section name: .l1
Source: Nlaqhh32.exe.27.dr	Static PE information: section name: .fldo
Source: Nlaqhh32.exe.27.dr	Static PE information: section name: .l1
Source: Njfmiegc.exe.28.dr	Static PE information: section name: .fldo
Source: Njfmiegc.exe.28.dr	Static PE information: section name: .l1
Source: Oihnglob.exe.29.dr	Static PE information: section name: .fldo
Source: Oihnglob.exe.29.dr	Static PE information: section name: .l1
Source: Obbofa32.exe.30.dr	Static PE information: section name: .fldo
Source: Obbofa32.exe.30.dr	Static PE information: section name: .l1
Source: Ooipkb32.exe.31.dr	Static PE information: section name: .fldo
Source: Ooipkb32.exe.31.dr	Static PE information: section name: .l1
Source: Olmpdg32.exe.32.dr	Static PE information: section name: .fldo
Source: Olmpdg32.exe.32.dr	Static PE information: section name: .l1
Source: Olpmjffk.exe.33.dr	Static PE information: section name: .fldo
Source: Olpmjffk.exe.33.dr	Static PE information: section name: .l1
Source: Plbiofci.exe.34.dr	Static PE information: section name: .fldo
Source: Plbiofci.exe.34.dr	Static PE information: section name: .l1
Source: Pkgfpbhq.exe.35.dr	Static PE information: section name: .fldo
Source: Pkgfpbhq.exe.35.dr	Static PE information: section name: .l1
Source: Poeofa32.exe.36.dr	Static PE information: section name: .fldo
Source: Poeofa32.exe.36.dr	Static PE information: section name: .l1
Source: Pklpkb32.exe.37.dr	Static PE information: section name: .fldo
Source: Pklpkb32.exe.37.dr	Static PE information: section name: .l1
Source: Peadik32.exe.38.dr	Static PE information: section name: .fldo
Source: Peadik32.exe.38.dr	Static PE information: section name: .l1
Source: Pojhapkb.exe.39.dr	Static PE information: section name: .fldo
Source: Pojhapkb.exe.39.dr	Static PE information: section name: .l1

Source: Xtks4KI16J.exe	Static PE information: section name: .text entropy: 7.11901866962878
Source: Ikgcna32.exe.0.dr	Static PE information: section name: .text entropy: 7.190482233326463
Source: Idogffko.exe.1.dr	Static PE information: section name: .text entropy: 7.182542383755306
Source: Ipfhkgac.exe.2.dr	Static PE information: section name: .text entropy: 7.135642593039847
Source: Ikklipqi.exe.3.dr	Static PE information: section name: .text entropy: 7.104728061422748
Source: Jddqaf32.exe.4.dr	Static PE information: section name: .text entropy: 7.21411877798477
Source: Jjqijmeq.exe.5.dr	Static PE information: section name: .text entropy: 7.138073122378964
Source: Jgdjcadj.exe.6.dr	Static PE information: section name: .text entropy: 7.192508151374742
Source: Jqmnlf32.exe.7.dr	Static PE information: section name: .text entropy: 7.194759778229209
Source: Jkbbioja.exe.8.dr	Static PE information: section name: .text entropy: 7.183360324964623
Source: Jbogli32.exe.9.dr	Static PE information: section name: .text entropy: 7.153167319817991
Source: Kjjlpk32.exe.10.dr	Static PE information: section name: .text entropy: 7.159637234597299
Source: Kkjhjn32.exe.11.dr	Static PE information: section name: .text entropy: 7.149258724172837
Source: Khnicb32.exe.12.dr	Static PE information: section name: .text entropy: 7.163630091069971
Source: Khbbobom.exe.13.dr	Static PE information: section name: .text entropy: 7.1867247509206775
Source: Lbmcmgck.exe.14.dr	Static PE information: section name: .text entropy: 7.1930633726426745
Source: Lqbqnc32.exe.15.dr	Static PE information: section name: .text entropy: 7.210708880311055
Source: Lileeqgb.exe.16.dr	Static PE information: section name: .text entropy: 7.140865936092607
Source: Lgqbfmlj.exe.17.dr	Static PE information: section name: .text entropy: 7.13081718182071
Source: Mbiciein.exe.18.dr	Static PE information: section name: .text entropy: 7.192261615740379
Source: Mnodnfob.exe.19.dr	Static PE information: section name: .text entropy: 7.197782097718514
Source: Mapmoalc.exe.20.dr	Static PE information: section name: .text entropy: 6.913569012186454
Source: Mndmif32.exe.21.dr	Static PE information: section name: .text entropy: 7.110695297428297
Source: Mhlaakam.exe.22.dr	Static PE information: section name: .text entropy: 7.125492917293478
Source: Maefjq32.exe.23.dr	Static PE information: section name: .text entropy: 7.102046689140308
Source: Nbdbdc32.exe.24.dr	Static PE information: section name: .text entropy: 7.146145917559521
Source: Naipepdh.exe.25.dr	Static PE information: section name: .text entropy: 7.148389017019169
Source: Nnmpodcb.exe.26.dr	Static PE information: section name: .text entropy: 7.101563612780033
Source: Nlaqhh32.exe.27.dr	Static PE information: section name: .text entropy: 7.109467712533071
Source: Njfmiegc.exe.28.dr	Static PE information: section name: .text entropy: 7.109694463614794
Source: Oihnglob.exe.29.dr	Static PE information: section name: .text entropy: 7.194965376176864
Source: Obbofa32.exe.30.dr	Static PE information: section name: .text entropy: 7.152775086787048
Source: Ooipkb32.exe.31.dr	Static PE information: section name: .text entropy: 7.217200550652767
Source: Olmpdg32.exe.32.dr	Static PE information: section name: .text entropy: 7.2161538654330935
Source: Olpmjffk.exe.33.dr	Static PE information: section name: .text entropy: 6.945021889194044
Source: Plbiofci.exe.34.dr	Static PE information: section name: .text entropy: 7.162281357562582
Source: Pkgfpbhq.exe.35.dr	Static PE information: section name: .text entropy: 7.199667343423311
Source: Poeofa32.exe.36.dr	Static PE information: section name: .text entropy: 7.196963257079966
Source: Pklpkb32.exe.37.dr	Static PE information: section name: .text entropy: 7.108552173876771
Source: Peadik32.exe.38.dr	Static PE information: section name: .text entropy: 7.171066258230804
Source: Pojhapkb.exe.39.dr	Static PE information: section name: .text entropy: 7.1839375244240244

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Executable created and started: C:\Windows\SysWOW64\Ikklipqi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Executable created and started: C:\Windows\SysWOW64\Jqmnlf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Executable created and started: C:\Windows\SysWOW64\Olmpdg32.exe
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Executable created and started: C:\Windows\SysWOW64\Lileeqgb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Maefjq32.exe	Executable created and started: C:\Windows\SysWOW64\Nbdbdc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikklipqi.exe	Executable created and started: C:\Windows\SysWOW64\Jddqaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Executable created and started: C:\Windows\SysWOW64\Jjqijmeq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbiciein.exe	Executable created and started: C:\Windows\SysWOW64\Mnodnfob.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Executable created and started: C:\Windows\SysWOW64\Oihnglob.exe
Source: C:\Windows\SysWOW64\Poeofa32.exe	Executable created and started: C:\Windows\SysWOW64\Pklpkb32.exe
Source: C:\Windows\SysWOW64\Khnicb32.exe	Executable created and started: C:\Windows\SysWOW64\Khbbobom.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Executable created and started: C:\Windows\SysWOW64\Jkbbioja.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Naipepdh.exe	Executable created and started: C:\Windows\SysWOW64\Nnmpodcb.exe
Source: C:\Windows\SysWOW64\Plbiofci.exe	Executable created and started: C:\Windows\SysWOW64\Pkgfpbhq.exe
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Executable created and started: C:\Windows\SysWOW64\Poeofa32.exe
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Executable created and started: C:\Windows\SysWOW64\Mapmoalc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Executable created and started: C:\Windows\SysWOW64\Naipepdh.exe
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Executable created and started: C:\Windows\SysWOW64\Ikgcna32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mndmif32.exe	Executable created and started: C:\Windows\SysWOW64\Mhlaakam.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Executable created and started: C:\Windows\SysWOW64\Idogffko.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Executable created and started: C:\Windows\SysWOW64\Lqbqnc32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oihnglob.exe	Executable created and started: C:\Windows\SysWOW64\Obbofa32.exe
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Executable created and started: C:\Windows\SysWOW64\Nlaqhh32.exe
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Executable created and started: C:\Windows\SysWOW64\Khnicb32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Khbbobom.exe	Executable created and started: C:\Windows\SysWOW64\Lbmcmgck.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Executable created and started: C:\Windows\SysWOW64\Mbiciein.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Executable created and started: C:\Windows\SysWOW64\Peadik32.exe
Source: C:\Windows\SysWOW64\Idogffko.exe	Executable created and started: C:\Windows\SysWOW64\Ipfhkgac.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jbogli32.exe	Executable created and started: C:\Windows\SysWOW64\Kjjlpk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Executable created and started: C:\Windows\SysWOW64\Jbogli32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Executable created and started: C:\Windows\SysWOW64\Njfmiegc.exe
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Executable created and started: C:\Windows\SysWOW64\Plbiofci.exe
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Executable created and started: C:\Windows\SysWOW64\Kkjhjn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Executable created and started: C:\Windows\SysWOW64\Jgdjcadj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Executable created and started: C:\Windows\SysWOW64\Olpmjffk.exe
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Executable created and started: C:\Windows\SysWOW64\Mndmif32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Executable created and started: C:\Windows\SysWOW64\Maefjq32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obbofa32.exe	Executable created and started: C:\Windows\SysWOW64\Ooipkb32.exe
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Executable created and started: C:\Windows\SysWOW64\Lgqbfmlj.exe	Jump to behavior

Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Ghhjiigd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Epibpnek.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Ocnhkj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Jebgbcgg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Jdhlnhlh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Ojkfapce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Ikklipqi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Jqmnlf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Olmpdg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Alqeloga.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Cmjgejad.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Lileeqgb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Biiggc32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Nbdbdc32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mmppcahg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Glblcojl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Egobfg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Beofla32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Jddqaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Ppgdmofd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Jjqijmeq.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Mnodnfob.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Mnjfhgoc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Pnnifl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Qelfpmpj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Oihnglob.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Pklpkb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Gjdogi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Gedgjccb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Khbbobom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Jkbbioja.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Fpianhmj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Nnmpodcb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Pkgfpbhq.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Poeofa32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Mapmoalc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Jccpao32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Efqdik32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Ledhoq32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Hdlllf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Naipepdh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Pmallabk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Ikgcna32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Pkdiefem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Oelbhifg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Mhlaakam.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Idogffko.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Lqbqnc32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Obbofa32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Nlaqhh32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Khnicb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Lbmcmgck.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Mbiciein.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Nghjeepc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Ckllojnq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Jlihgcil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Pojhapkb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Ekicli32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Omfmbkgb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Dblkhkce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Peadik32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Ipfhkgac.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Kjjlpk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Ndbcmg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Jbogli32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Moqmapgi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Njfmiegc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Dajmooqf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Plbiofci.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Kkjhjn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Jgdjcadj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Cacope32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Olpmjffk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Hiiodl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Jpjjpdfj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mndmif32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Maefjq32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Hilimkhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Ooipkb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Lgqbfmlj.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Ghhjiigd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Epibpnek.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Ocnhkj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Jebgbcgg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Jdhlnhlh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Ojkfapce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Ikklipqi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Jqmnlf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Olmpdg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Alqeloga.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Cmjgejad.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Lileeqgb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Biiggc32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Nbdbdc32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mmppcahg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Glblcojl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Egobfg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	File created: C:\Windows\SysWOW64\Beofla32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikklipqi.exe	File created: C:\Windows\SysWOW64\Jddqaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	File created: C:\Windows\SysWOW64\Ppgdmofd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Jjqijmeq.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Mnodnfob.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ooipkb32.exe	File created: C:\Windows\SysWOW64\Mnjfhgoc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Pnnifl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Qelfpmpj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Oihnglob.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Poeofa32.exe	File created: C:\Windows\SysWOW64\Pklpkb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Gjdogi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Gedgjccb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Khbbobom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Jkbbioja.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Khnicb32.exe	File created: C:\Windows\SysWOW64\Fpianhmj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Naipepdh.exe	File created: C:\Windows\SysWOW64\Nnmpodcb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Pkgfpbhq.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	File created: C:\Windows\SysWOW64\Poeofa32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mnodnfob.exe	File created: C:\Windows\SysWOW64\Mapmoalc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Jccpao32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Njfmiegc.exe	File created: C:\Windows\SysWOW64\Efqdik32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Ledhoq32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbiciein.exe	File created: C:\Windows\SysWOW64\Hdlllf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Naipepdh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Pmallabk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Ikgcna32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	File created: C:\Windows\SysWOW64\Pkdiefem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Oelbhifg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mndmif32.exe	File created: C:\Windows\SysWOW64\Mhlaakam.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikgcna32.exe	File created: C:\Windows\SysWOW64\Idogffko.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Lqbqnc32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Obbofa32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	File created: C:\Windows\SysWOW64\Nlaqhh32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	File created: C:\Windows\SysWOW64\Khnicb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Khbbobom.exe	File created: C:\Windows\SysWOW64\Lbmcmgck.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	File created: C:\Windows\SysWOW64\Mbiciein.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Nghjeepc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	File created: C:\Windows\SysWOW64\Ckllojnq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Jlihgcil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Pojhapkb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jddqaf32.exe	File created: C:\Windows\SysWOW64\Ekicli32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	File created: C:\Windows\SysWOW64\Omfmbkgb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	File created: C:\Windows\SysWOW64\Dblkhkce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Peadik32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Idogffko.exe	File created: C:\Windows\SysWOW64\Ipfhkgac.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jbogli32.exe	File created: C:\Windows\SysWOW64\Kjjlpk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pklpkb32.exe	File created: C:\Windows\SysWOW64\Ndbcmg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Jbogli32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	File created: C:\Windows\SysWOW64\Moqmapgi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	File created: C:\Windows\SysWOW64\Njfmiegc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Maefjq32.exe	File created: C:\Windows\SysWOW64\Dajmooqf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olpmjffk.exe	File created: C:\Windows\SysWOW64\Plbiofci.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	File created: C:\Windows\SysWOW64\Kkjhjn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	File created: C:\Windows\SysWOW64\Jgdjcadj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jkbbioja.exe	File created: C:\Windows\SysWOW64\Cacope32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olmpdg32.exe	File created: C:\Windows\SysWOW64\Olpmjffk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	File created: C:\Windows\SysWOW64\Hiiodl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plbiofci.exe	File created: C:\Windows\SysWOW64\Jpjjpdfj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mapmoalc.exe	File created: C:\Windows\SysWOW64\Mndmif32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhlaakam.exe	File created: C:\Windows\SysWOW64\Maefjq32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oihnglob.exe	File created: C:\Windows\SysWOW64\Hilimkhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obbofa32.exe	File created: C:\Windows\SysWOW64\Ooipkb32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Lileeqgb.exe	File created: C:\Windows\SysWOW64\Lgqbfmlj.exe	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior

Source: C:\Windows\SysWOW64\Ikklipqi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ghhjiigd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhlaakam.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Epibpnek.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lileeqgb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pmallabk.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Poeofa32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ocnhkj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mnodnfob.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jebgbcgg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lgqbfmlj.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Oelbhifg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkjhjn32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jdhlnhlh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ipfhkgac.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pkdiefem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ikgcna32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ojkfapce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olpmjffk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Alqeloga.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khbbobom.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cmjgejad.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Naipepdh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Biiggc32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mapmoalc.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Mmppcahg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jjqijmeq.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Glblcojl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lqbqnc32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Beofla32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jbogli32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Egobfg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Olmpdg32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nghjeepc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obbofa32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jlihgcil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nbdbdc32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ckllojnq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jgdjcadj.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ppgdmofd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pojhapkb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Peadik32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Omfmbkgb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jddqaf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekicli32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jqmnlf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Dblkhkce.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ooipkb32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Mnjfhgoc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnmpodcb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pnnifl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pklpkb32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ndbcmg32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Idogffko.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Qelfpmpj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Lbmcmgck.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Moqmapgi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pkgfpbhq.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gjdogi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kjjlpk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gedgjccb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Maefjq32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Dajmooqf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jkbbioja.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cacope32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Khnicb32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fpianhmj.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Xtks4KI16J.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Hiiodl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plbiofci.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jpjjpdfj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nlaqhh32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jccpao32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Njfmiegc.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efqdik32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oihnglob.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Hilimkhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mndmif32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ledhoq32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbiciein.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Hdlllf32.dll	Jump to dropped file

Stealing of Sensitive Information

Yara detected Berbew

Source: Yara match	File source: 3.2.Ipfhkgac.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Naipepdh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Kjjlpk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Maefjq32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Ooipkb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Oihnglob.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Ikgcna32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Jbogli32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Nnmpodcb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Pkgfpbhq.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Jqmnlf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Kjjlpk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Pklpkb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Kkjhjn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Jddqaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Jgdjcadj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Nbdbdc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Mapmoalc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lqbqnc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Lgqbfmlj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Olpmjffk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Poeofa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Ipfhkgac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Mndmif32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Ikklipqi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Khnicb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Peadik32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Lileeqgb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xtks4KI16J.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Mndmif32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Lbmcmgck.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Lgqbfmlj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Nlaqhh32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Jqmnlf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Plbiofci.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Nlaqhh32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Ikgcna32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Mbiciein.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Olpmjffk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Lileeqgb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Lbmcmgck.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Khbbobom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Jkbbioja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Peadik32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Nnmpodcb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Njfmiegc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Khnicb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Pkgfpbhq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Oihnglob.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Mnodnfob.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Maefjq32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Idogffko.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Mapmoalc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Olmpdg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Plbiofci.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Jgdjcadj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Poeofa32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Mbiciein.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Jbogli32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Pklpkb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Jjqijmeq.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Obbofa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Jkbbioja.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Ikklipqi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Olmpdg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Khbbobom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Jjqijmeq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Mnodnfob.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xtks4KI16J.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Obbofa32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Mhlaakam.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lqbqnc32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Kkjhjn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Idogffko.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Ooipkb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Jddqaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Nbdbdc32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Njfmiegc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Mhlaakam.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Naipepdh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2001051775.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2012897426.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2002980502.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2017857827.000000000042B000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2009121717.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1998585566.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2004365207.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2016019452.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2011709914.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2005187515.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2010388848.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2008077984.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1999586381.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2017111770.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1997873391.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2015659350.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2014944937.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2002193178.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2007198128.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: Xtks4KI16J.exe, type: SAMPLE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Peadik32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lileeqgb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pkgfpbhq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olpmjffk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkjhjn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lbmcmgck.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olmpdg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jqmnlf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mndmif32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Njfmiegc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mapmoalc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbiciein.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Poeofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jjqijmeq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pojhapkb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnmpodcb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lqbqnc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jbogli32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Naipepdh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lgqbfmlj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikgcna32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nbdbdc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khnicb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhlaakam.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikklipqi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jddqaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Idogffko.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ipfhkgac.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plbiofci.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khbbobom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jgdjcadj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ooipkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obbofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nlaqhh32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kjjlpk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oihnglob.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pklpkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jkbbioja.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Maefjq32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mnodnfob.exe, type: DROPPED

Remote Access Functionality

Yara detected Berbew

Source: Yara match	File source: 3.2.Ipfhkgac.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Naipepdh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Kjjlpk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Maefjq32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Ooipkb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Oihnglob.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Ikgcna32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Jbogli32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Nnmpodcb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Pkgfpbhq.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Jqmnlf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Kjjlpk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Pklpkb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Kkjhjn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Jddqaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Jgdjcadj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Nbdbdc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Mapmoalc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lqbqnc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Lgqbfmlj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Olpmjffk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Poeofa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Ipfhkgac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Mndmif32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Ikklipqi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Khnicb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Peadik32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Lileeqgb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xtks4KI16J.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Mndmif32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Lbmcmgck.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Lgqbfmlj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Nlaqhh32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Jqmnlf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Plbiofci.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Nlaqhh32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Ikgcna32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Mbiciein.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Olpmjffk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Lileeqgb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Lbmcmgck.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Khbbobom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Jkbbioja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Peadik32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Nnmpodcb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Njfmiegc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Khnicb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Pkgfpbhq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Oihnglob.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Mnodnfob.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Maefjq32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Idogffko.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Mapmoalc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Olmpdg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Plbiofci.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Jgdjcadj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Poeofa32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Mbiciein.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Jbogli32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Pklpkb32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Jjqijmeq.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Obbofa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Jkbbioja.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Ikklipqi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Olmpdg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Khbbobom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Jjqijmeq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Mnodnfob.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xtks4KI16J.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Obbofa32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Mhlaakam.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lqbqnc32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Kkjhjn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Idogffko.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Ooipkb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Jddqaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Nbdbdc32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Njfmiegc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Mhlaakam.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Naipepdh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2001051775.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2012897426.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2002980502.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2017857827.000000000042B000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2009121717.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1998585566.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2004365207.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2016019452.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2011709914.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2005187515.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2010388848.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2008077984.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1999586381.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2017111770.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1997873391.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2015659350.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2014944937.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2002193178.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2007198128.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: Xtks4KI16J.exe, type: SAMPLE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Olmpdg32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Lileeqgb.exe.69a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Jddqaf32.exe.58925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Jgdjcadj.exe.56a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Idogffko.exe.5ea36c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Ooipkb32.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Ikklipqi.exe.64a3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Mhlaakam.exe.4dc24c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Mbiciein.exe.53a91c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Peadik32.exe.55bd9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Mnodnfob.exe.7a925c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Ikgcna32.exe.5e9814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Jqmnlf32.exe.4c9754.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Poeofa32.exe.81aabc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Pkgfpbhq.exe.50a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Khbbobom.exe.61997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Nnmpodcb.exe.61957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Jbogli32.exe.5b9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Kkjhjn32.exe.50997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Olpmjffk.exe.58a6d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Kjjlpk32.exe.60a944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Nlaqhh32.exe.6ea3b4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Ipfhkgac.exe.5d9814.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Lbmcmgck.exe.5b957c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Maefjq32.exe.6f9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Plbiofci.exe.79997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Khnicb32.exe.64a624.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Mndmif32.exe.6ca364.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Naipepdh.exe.7ba3cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Jjqijmeq.exe.52997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Mapmoalc.exe.6d997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Njfmiegc.exe.66a364.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Nbdbdc32.exe.78a94c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Pklpkb32.exe.7aa984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Lgqbfmlj.exe.7aa944.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Jkbbioja.exe.7b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Obbofa32.exe.72a3bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Oihnglob.exe.5b997c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Lqbqnc32.exe.6c9254.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Xtks4KI16J.exe.54bf44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xtks4KI16J.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikgcna32.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idogffko.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ipfhkgac.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ikklipqi.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jddqaf32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jjqijmeq.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jgdjcadj.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jqmnlf32.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jkbbioja.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jbogli32.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kjjlpk32.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkjhjn32.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khnicb32.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Khbbobom.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lbmcmgck.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lqbqnc32.exe PID: 7232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lileeqgb.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lgqbfmlj.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbiciein.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mnodnfob.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mapmoalc.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mndmif32.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhlaakam.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Maefjq32.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nbdbdc32.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Naipepdh.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnmpodcb.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nlaqhh32.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Njfmiegc.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oihnglob.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obbofa32.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ooipkb32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olmpdg32.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Olpmjffk.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plbiofci.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pkgfpbhq.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Poeofa32.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pklpkb32.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Peadik32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Peadik32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lileeqgb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pkgfpbhq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olpmjffk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkjhjn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lbmcmgck.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Olmpdg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jqmnlf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mndmif32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Njfmiegc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mapmoalc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbiciein.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Poeofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jjqijmeq.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pojhapkb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnmpodcb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lqbqnc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jbogli32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Naipepdh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Lgqbfmlj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikgcna32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nbdbdc32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khnicb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhlaakam.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ikklipqi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jddqaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Idogffko.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ipfhkgac.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plbiofci.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Khbbobom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jgdjcadj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ooipkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obbofa32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nlaqhh32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kjjlpk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oihnglob.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Pklpkb32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jkbbioja.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Maefjq32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mnodnfob.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	12 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Software Packing	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Xtks4KI16J.exe	100%	Avira	TR/Crypt.XDR.Gen
Xtks4KI16J.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\Ikgcna32.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Gjdogi32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Cacope32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Jebgbcgg.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Hdlllf32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Jbogli32.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Epibpnek.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Biiggc32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Beofla32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Gedgjccb.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Dajmooqf.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Idogffko.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Egobfg32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ckllojnq.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Jdhlnhlh.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Dblkhkce.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Glblcojl.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Fpianhmj.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Hilimkhd.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Jddqaf32.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Hiiodl32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Cmjgejad.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ekicli32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ikklipqi.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Alqeloga.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ghhjiigd.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Jccpao32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ipfhkgac.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Jgdjcadj.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Efqdik32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ikgcna32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Gjdogi32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Cacope32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jebgbcgg.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Hdlllf32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jbogli32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Epibpnek.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Biiggc32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Beofla32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Gedgjccb.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Dajmooqf.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Idogffko.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Egobfg32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ckllojnq.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jdhlnhlh.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Dblkhkce.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Glblcojl.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Fpianhmj.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Hilimkhd.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jddqaf32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Hiiodl32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Cmjgejad.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ekicli32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ikklipqi.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Alqeloga.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ghhjiigd.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jccpao32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ipfhkgac.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Jgdjcadj.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Efqdik32.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ldark.nm.ru/index.htm	0%	URL Reputation	safe
http://asechka.ru/index.php	0%	URL Reputation	safe
http://goldensand.ru/index.php	0%	URL Reputation	safe
http://color-bank.ru/index.php	100%	URL Reputation	malware
http://gaz-prom.ru/index.htm	0%	URL Reputation	safe
http://devx.nm.ru/index.php	0%	URL Reputation	safe
http://crutop.nu/index.htm	0%	URL Reputation	safe
http://mazafaka.ru/index.htm	0%	URL Reputation	safe
http://fethard.biz/index.php	0%	URL Reputation	safe
http://crutop.nuAWM	0%	URL Reputation	safe
http://kadet.ru/index.htm	0%	URL Reputation	safe
http://cvv.ru/index.htm	0%	URL Reputation	safe
http://lovingod.host.sk/index.php	0%	URL Reputation	safe
http://parex-bank.ru/index.htm	100%	URL Reputation	malware
http://kidos-bank.ru/index.htm	100%	URL Reputation	malware
http://fuck.ru/index.php	0%	URL Reputation	safe
http://crutop.nu	0%	URL Reputation	safe
http://crutop.ru/index.htm	0%	URL Reputation	safe
http://ros-neftbank.ru/index.php	100%	URL Reputation	malware
http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru	0%	URL Reputation	safe
http://www.redline.ru/index.php	0%	URL Reputation	safe
http://cvv.ru/index.php	0%	URL Reputation	safe
http://kavkaz.ru/index.htm	0%	URL Reputation	safe
http://potleaf.chat.ru/index.htm	0%	URL Reputation	safe
http://trojan.ru/index.php	0%	URL Reputation	safe
http://xware.cjb.net/index.htm	0%	URL Reputation	safe
http://filesearch.ru/index.php	0%	URL Reputation	safe
http://hackers.lv/index.php	0%	URL Reputation	safe
http://konfiskat.org/index.htm	0%	URL Reputation	safe
http://mazafaka.ru/index.php	0%	URL Reputation	safe
http://crutop.nu/index.php	0%	URL Reputation	safe
http://fethard.biz/index.htm	0%	URL Reputation	safe
http://promo.ru/index.htm	0%	URL Reputation	safe
http://crutop.ru/index.php	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ldark.nm.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://asechka.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://goldensand.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://color-bank.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	true	URL Reputation: malware	unknown
http://gaz-prom.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://devx.nm.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.nu/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://mazafaka.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://fethard.biz/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.nuAWM	Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe, 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Kjjlpk32.exe, 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Kkjhjn32.exe, 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Khnicb32.exe, 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Khbbobom.exe, 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Lbmcmgck.exe, 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Lqbqnc32.exe, 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Lileeqgb.exe, 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Lgqbfmlj.exe, 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Mbiciein.exe, 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Mnodnfob.exe, 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp	false	URL Reputation: safe	unknown
http://kadet.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://cvv.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://lovingod.host.sk/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://parex-bank.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	true	URL Reputation: malware	unknown
http://kidos-bank.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	true	URL Reputation: malware	unknown
http://fuck.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.nu	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://ros-neftbank.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	true	URL Reputation: malware	unknown
http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru	Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe, 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Kjjlpk32.exe, 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Kkjhjn32.exe, 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Khnicb32.exe, 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Khbbobom.exe, 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Lbmcmgck.exe, 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Lqbqnc32.exe, 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Lileeqgb.exe, 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Lgqbfmlj.exe, 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Mbiciein.exe, 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Mnodnfob.exe, 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp	false	URL Reputation: safe	unknown
http://www.redline.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://cvv.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://kavkaz.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://potleaf.chat.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://trojan.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://xware.cjb.net/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://filesearch.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://hackers.lv/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://konfiskat.org/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://mazafaka.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.nu/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://fethard.biz/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://promo.ru/index.htm	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown
http://crutop.ru/index.php	Xtks4KI16J.exe, Xtks4KI16J.exe, 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Ikgcna32.exe, Ikgcna32.exe, 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Idogffko.exe, Idogffko.exe, 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Ipfhkgac.exe, Ipfhkgac.exe, 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Ikklipqi.exe, Ikklipqi.exe, 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Jddqaf32.exe, Jddqaf32.exe, 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Jjqijmeq.exe, Jjqijmeq.exe, 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Jgdjcadj.exe, Jgdjcadj.exe, 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Jqmnlf32.exe, Jqmnlf32.exe, 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Jkbbioja.exe, Jkbbioja.exe, 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Jbogli32.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1507175
Start date and time:	2024-09-08 09:47:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Xtks4KI16J.exe renamed because original name is a hash value
Original Sample Name:	Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@80/81@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 152 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Xtks4KI16J.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\SysWOW64\Alqeloga.dll

Download File

Process:	C:\Windows\SysWOW64\Olpmjffk.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8624436778138183
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG01bB+BDq9J5SC:8qtV0HAr4ubB+FqX5SC
MD5:	52816ECBAA9045E5151ED06D67F68B6C
SHA1:	9A6D6C92FB3B0523D4FDC0747F041A172C26B891
SHA-256:	17B5536670DE61CEFF9349542FB28547D2B568E98D435941D95F708525E42AF5
SHA-512:	E936A87EA512364E6B21BEEAC409CB7F92EEA91A6B4E3C8D29A5F71DAD8B938F3E13EC347167A155A65E38D23284333E23ECF9D8059FD0FAF97C7B02F95997E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Beofla32.dll

Download File

Process:	C:\Windows\SysWOW64\Lqbqnc32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8632156969532687
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0qB+BDq9J5SC:8qtV0HAr4XB+FqX5SC
MD5:	A1D9B28991E9B255F34A72716331BD54
SHA1:	AEC55990803E789B70B3E0031C27740A01737F4B
SHA-256:	5561747077D3F792B50DA48268A40AA310F33B7DF58CCC6E58838182FB09CB8F
SHA-512:	22FB20F045FF1D7FB28551A648C9F3286E145E25B929DCA30045B4A098D2AC8C7CC65CE4EEC2D057F6C7B70F50D8F028DBA303D58825A938447998C3DB4FE2B5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Biiggc32.dll

Download File

Process:	C:\Windows\SysWOW64\Naipepdh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8627802792879837
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0WB+BDq9J5SC:8qtV0HAr4jB+FqX5SC
MD5:	D581BB9E6A8DCFBDC227793452B1B9FB
SHA1:	4294580B4FD23F0260C36DD407071D85E17B0F58
SHA-256:	E7F3A6A046BE3F0BE9B85A3ADD860DD7A1E164D93B27CFC5C6A4E87CBC4A9323
SHA-512:	3DD25560CC9CC1F4B066993505DEE872070FAD64BAECE63873E283860DB6228840909EC7051D8046CB2DCD4F09890E907EA6A7FF546D4412A5B2632098E241B2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Cacope32.dll

Download File

Process:	C:\Windows\SysWOW64\Jkbbioja.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8631744213230474
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0RB+BDq9J5SC:8qtV0HAr44B+FqX5SC
MD5:	BEA9A16D6DF9C6741A7022A63E121338
SHA1:	BF2A442A5E9083688A6225F3A7CAB3EE40E71F45
SHA-256:	F55D3D3F6096B854C2E1BC6B4252C5E20B6B4AB24A210A7377785CEEACED085B
SHA-512:	D8BF25A6E34E03D69BD81CEEADBD3FDA12B5547E41092E9CB3F2564312E6BFAD733D4081486263D07571F0972725AFD077A154D042F8E7E6CDA5DC897AD81A4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ckllojnq.dll

Download File

Process:	C:\Windows\SysWOW64\Nbdbdc32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862293793509182
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0YB+BDq9J5SC:8qtV0HAr4RB+FqX5SC
MD5:	2D90C5CBFC9375E5C2A40B3D675EB3EF
SHA1:	B5E79142181C78F06CF9F1582DF1AF4BC6896CE1
SHA-256:	A248E30B48DF01B0B32C11AD6958B2C0161D3107C18F49934556F94527B3508A
SHA-512:	6FE442F898FDE856F28435625D16873EE6D523519D1EEF4AAFD2A91A81793E4AFCBEBA58F1964517491D5F053C90259E0DEED4549FEB2025A0ED0E94DF3D0487
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Cmjgejad.dll

Download File

Process:	C:\Windows\SysWOW64\Khbbobom.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863005515552792
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0NB+BDq9J5SC:8qtV0HAr4MB+FqX5SC
MD5:	BCD398C30340D9E23479C626D23925B0
SHA1:	7D9766FAAADFFF265FBC89468E55CCD72F2B8E06
SHA-256:	BD684BAB416BB3513521C140FCAC11299FBF89705D6B1D1A47165707A04C69A6
SHA-512:	E1B858ECD0EB05ADF227F087B7621A1D568E95E6D6C4E39F0BEDA92A4093F3DAC30F8CC427254E1D67EB0D50F080B6298AD3C78AC232E8A15BBA1B5C75612B3A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Dajmooqf.dll

Download File

Process:	C:\Windows\SysWOW64\Maefjq32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8632066015390825
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG07B+BDq9J5SC:8qtV0HAr4aB+FqX5SC
MD5:	ABB50B2022929BFA3DCBF490610A0A49
SHA1:	318946CFB5DEADF1A9C44FE2F06B49210AC6640D
SHA-256:	F792D7BAE89CAD7DEB284A1DC7CAF375357D4E77318A6995F2791F0D8928DC2C
SHA-512:	E1ECC5B21AFA5665E506D9AC6A0FD5D3F86BA60136C86284AD36004D456688E064A50DA201635C9B407C36B4FD3A2A13AB2D12F69B26C18014A9CF16D5A0B442
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Dblkhkce.dll

Download File

Process:	C:\Windows\SysWOW64\Jqmnlf32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863017486813165
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0rB+BDq9J5SC:8qtV0HAr4WB+FqX5SC
MD5:	404A7F48BAA8D569974CDC8C5DE229FC
SHA1:	43C50FA0FC5628F698CFC9E77AF42491D82B1774
SHA-256:	D7A563297116020522E02BFA859E074183A633923E953E61706C2DFDB50F647D
SHA-512:	96443A4B43623DB3E55E9EBF024CF8C570553121CE33F968C75CBB0993B68DA0C6D336ADA9761ABA776995E48138183AF0284DAF020A6089FA41560D52B9D80C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Efqdik32.dll

Download File

Process:	C:\Windows\SysWOW64\Njfmiegc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8628357305045515
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0dB+BDq9J5SC:8qtV0HAr40B+FqX5SC
MD5:	22F7B9D859368AD186113147A5559050
SHA1:	5FC25FD4E0602F1803E4AEE904A1B92834872340
SHA-256:	88C1A3DB54BC360779ADB8B847FF5B0D22C30CB84A5132A5C0342B760BAF1A10
SHA-512:	FA879BA46DC474309EC60291E374C766E4F3C0890F23849479D7384EFF277CF6EBB348EDF2BA06E63B8EB04A3A8DB7EEB260726FAA4C203D57FB531CC0A3BE7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Egobfg32.dll

Download File

Process:	C:\Windows\SysWOW64\Jbogli32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862867624082093
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG06B+BDq9J5SC:8qtV0HAr4fB+FqX5SC
MD5:	0AE9DC769EA23B0094CF15984D9BC5A9
SHA1:	C3F014D729A1B39118AFB13CDC45B97AB8BB7273
SHA-256:	E138ABF7F8F670F80F304816EBF2FFFBD95FFB46EE49387B6909368E31371063
SHA-512:	BE9ECB4D6E2EC17BD035CC77CA4AAF0FB9ACA83107D568BDB336472F9507A997DF90C622339EAF6D6FEAECE05EDC2468AF49AE46B660F35D5F092D15D62356B0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ekicli32.dll

Download File

Process:	C:\Windows\SysWOW64\Jddqaf32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8635651440675645
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0IB+BDq9J5SC:8qtV0HAr4NB+FqX5SC
MD5:	E919B57761D50759ACDA0AB3EA793B15
SHA1:	9D1447063D286533AF537E90CE8BF156586EC17D
SHA-256:	30924E6E860C4CC274B121D4F9517C1657FCACDFBD78E7B0CE0FCD27862F6684
SHA-512:	F51465A42DB573BBEC51F7D75A0F450336731AA6E180F67BFC96144F0AB0F8250E15304D6ECEE3DACE670C3549594B13F9AD1DDFE4002EBBD0278ACC5703FBDA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Epibpnek.dll

Download File

Process:	C:\Windows\SysWOW64\Mhlaakam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8634944161509566
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0oB+BDq9J5SC:8qtV0HAr4lB+FqX5SC
MD5:	136E2DEA4F95B6C288D0A29CD4ED02AA
SHA1:	1CE1A368B8AF24227AF24EB909911023F7FB7BD5
SHA-256:	F35C85A2E7B15747B798E217E8AA005B541FD0D8FA213E5D0276216D566A0D98
SHA-512:	D4C497024A8A5AA5DB5A01F6453E0006B372B5755A868E8EF85D05AB7C311D5B3050D16425065216C6FB3844C6690F2A53203FC30719799B9435CB7C53E8A19D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Fpianhmj.dll

Download File

Process:	C:\Windows\SysWOW64\Khnicb32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863417047836027
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0KqB+BDq9J5SC:8qtV0HAr4CB+FqX5SC
MD5:	694142EED5A615CCA3BB685C5D3890E5
SHA1:	C07C162759F264E207BE9FFEE2822519C82868C9
SHA-256:	8CC73671149B2EE5BE945C852A894F01C68A889948D4675044992089DC4AEEDA
SHA-512:	078C9CBE65F678B6FA249F4F90EA3A496A1D413CFE70EBC415EC4802653090BCE073C4391456F8F21DF8896245154364BA3AE59A7314FB5B465D791C8841D826
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Gedgjccb.dll

Download File

Process:	C:\Windows\SysWOW64\Kjjlpk32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8627847721097703
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0wB+BDq9J5SC:8qtV0HAr4tB+FqX5SC
MD5:	5C6C601FFE48965A731B241874F7AE51
SHA1:	EA56BC78548DDFA78F41DD1763B4E0D00E76F2B0
SHA-256:	DCC543CBCE8AD8885C5D1E81E5A91CAB14732389E66B17D654B9004A8FB761A0
SHA-512:	769C00E5CDE665BCD454E3FD182E3CAE28AB3FF115DEF1083A1714BABC6EA7C5E0B4B46D76D1EB57D53407C4868D8E182D8BD4AC5BDF70020EB96C6179DF1F6E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ghhjiigd.dll

Download File

Process:	C:\Windows\SysWOW64\Ikklipqi.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863523742031969
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0CB+BDq9J5SC:8qtV0HAr4rB+FqX5SC
MD5:	85EF9FB5908D41E2F353389BCA418EAD
SHA1:	AE2D925335782EDBA397A62F935DB6BC6E715685
SHA-256:	4DB66D52DF8A04A58D57CEECE0D2D624F7AC43C2384F8411E52EF3738DC0F86E
SHA-512:	DDCDF19FFF57AAE042D0EC083F51F13372C420D2CBD241C18296901E02EA13F46EB466865AAFFA1F4C6552EA40DFEBAE2015AC39997106805A80E229DBB12874
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Gjdogi32.dll

Download File

Process:	C:\Windows\SysWOW64\Pkgfpbhq.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862314120196986
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0MB+BDq9J5SC:8qtV0HAr4xB+FqX5SC
MD5:	1CCF9D0BCC310AF6280D1302B4B59728
SHA1:	BA7A76C486B42410D668E8D4922C39AD64A99498
SHA-256:	784468A86417D155108B5622C1BCACF1BCEA7B3DDDE1E211FD4A9C6FC1F4D070
SHA-512:	B8D5F2A9CB6187B3A389E00D139C9AF37645C27FC5A3343D3914F517A1C7637ED9DB34737B6C5A2864716804DD640F9E50B7075C7329F0F7523CACC944CF1FAD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Glblcojl.dll

Download File

Process:	C:\Windows\SysWOW64\Jjqijmeq.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862544273680858
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0WB+BDq9J5SC:8qtV0HAr4/B+FqX5SC
MD5:	428A2D719DCFF60E9DE95EAEE73F0798
SHA1:	AA0719A631E49371D5C220669BC29C85280D8543
SHA-256:	69911EE3720B87031655B7A1FDAC7F3AD17EA5550481883CE6858F08EA428800
SHA-512:	95CC737B946E9A49D59EB92AB6FC3AB94662FA4D7B5A7C2C6C48B03846DB6E42FED45BC89F68EDCE5F48F1EC97D381E31833CC388476A02C1A7C51B7EEF97FEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Hdlllf32.dll

Download File

Process:	C:\Windows\SysWOW64\Mbiciein.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862724164450439
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0EB+BDq9J5SC:8qtV0HAr4VB+FqX5SC
MD5:	4270B1B3AE429F25F0B2CB50711370BF
SHA1:	0BCB74BD0C6FD9DBCF1EF0F959BCFB5BB781A6C0
SHA-256:	FF73947BECD19E4C58E9BC8017E9772BB472E17154E42BB18D55D4CDE081C841
SHA-512:	4FCE0CBF5027D5EE89120F30FC185BE77BFA11B08783908CC8DE0D8845C92246AFA54359853A3F01397E295726A19DEC5A82FE32F20F8CAF6DEA6569178EC3DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Hiiodl32.dll

Download File

Process:	C:\Users\user\Desktop\Xtks4KI16J.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6657
Entropy (8bit):	2.8630655759539856
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0rB+BDq9J5SC:8qtV0HAr4+B+FqX5SC
MD5:	B0C68CB681623D77FEC415DDEA61B537
SHA1:	D30CF942D41D9212D0001648CF8C097B5AD6EF9F
SHA-256:	9811396F8E655BCBAD9FE3D0E83A7A50114BBCBCEFED922467F31A21BFEC7A82
SHA-512:	E0FA923EDE9D518422AACD3D62D034FE6D184D1A291D5D3393F0507EC378702139AE41658F5F5EB73BEF92F44724F574A697998E350397FB0DAE4DBA4270E589
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Hilimkhd.dll

Download File

Process:	C:\Windows\SysWOW64\Oihnglob.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8633327200054612
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG03B+BDq9J5SC:8qtV0HAr4WB+FqX5SC
MD5:	D2396774C21CC2EF75507BD59077331F
SHA1:	7640D7C5D9B3ED58464FCAA0B9A687ED38892236
SHA-256:	3A0B679B1A191214FBDDACFE501E328C27A6CC69159355D8931D91F944C82D85
SHA-512:	11B0517EB41C702F0AEFB5F387EC123BA37819BAA7738916F605F159936320E62B07027D7CA0C235F933F00A14C58191EDF23FD4B3DAF2A445FE604238E6462C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Idogffko.exe

Download File

Process:	C:\Windows\SysWOW64\Ikgcna32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.684358710333223
Encrypted:	false
SSDEEP:	3072:xPVoiyq46lHK9MgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:9W646lq9M1+fIyG5jZkCwi8r
MD5:	44B1D19D1F316401D07436026D0C8F93
SHA1:	DD40B55430E3DD07D1C2A242A139165E2781E9B7
SHA-256:	1ACC1E6AD34CCA096882383F24B1EB61E221EDA21DA8B5207BEC698433F71B25
SHA-512:	8EBFA2B65BE1ADE3F8616FA1002B5692423C46EF2D8E082768140E8E3F502C99A4B17AE539C04247A3DED53154F4EA4C7D060A14F1BF758CC30D67BD41ABF0D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ikgcna32.exe

Download File

Process:	C:\Users\user\Desktop\Xtks4KI16J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.65654014578325
Encrypted:	false
SSDEEP:	3072:0wDD7U+oACPBbwr92N7qUx5HP5gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:l30Zwr929lP51+fIyG5jZkCwi8r
MD5:	5BF78889FF869E37498DE5C9C505D3F4
SHA1:	AFDFD202B86E496C32F6C794C7F160B084F08ACA
SHA-256:	0C92B77E4C50EB25BAFCCFE62A1E5D1D45E090D60FE92717119DA1A74EC8065E
SHA-512:	57A251BDE64454BAB9921D059E81B832292436F65184A7043BCD6F5BD6AA96188F823A6E6B0ED7185616366776B097D5544F8E26208B6525A8F44716D353DB3A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ikgcna32.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Xtks4KI16J.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SysWOW64\Ikklipqi.exe

Download File

Process:	C:\Windows\SysWOW64\Ipfhkgac.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.642192883483861
Encrypted:	false
SSDEEP:	6144:U2nZq/+zVid843ufALPw1+fIyG5jZkCwi8r:3q/+zVid843u6iZkCwiY
MD5:	5F42235DCB8D9B0D74D8780DEDEF3DD6
SHA1:	ABF3E11498AEF5D8354D348748FD3AEA9A6DDE75
SHA-256:	24A790497DE74FC87564A032ED53BFC113E9092472AF7CB8D7D5E253D142522D
SHA-512:	0171ABEE6D41313405D0EBC3B50D81E6568BF0AEEBF919C5B623565BA3F471591F37A4FCEAD8D8C7308880FEE39726DBD4D538300F20662524E5B79DB576F47F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ipfhkgac.exe

Download File

Process:	C:\Windows\SysWOW64\Idogffko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.667202980602088
Encrypted:	false
SSDEEP:	3072:Dw+6javxPL+NEhhhgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:DwPjMxPCqhhh1+fIyG5jZkCwi8r
MD5:	4F2762AB1971305DCB7E62833EE29EC6
SHA1:	6E0A77A5C945A273830966B0CA8B976629922F55
SHA-256:	F865C28401E474837AEF002F98388B827EC0E415E4FA7CA5C1A0309C0B24C6D5
SHA-512:	95B7BB6356F0A6957E7257B8D2B74A62D7C52914BBEA5816BC9DEC2EEA481776F23FBADE29A4A2FCDDB0C787452A4D75A9F378BA988083493B47815590F0B1FB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jbogli32.exe

Download File

Process:	C:\Windows\SysWOW64\Jkbbioja.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.662278487908848
Encrypted:	false
SSDEEP:	3072:7k0mmBFiYe1BIdYDgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:NmOe1BIeD1+fIyG5jZkCwi8r
MD5:	954F234246B8674AD183FA10ACAF2457
SHA1:	26B4C97C6D605F21EA103116BC2EFA98EEAF89A5
SHA-256:	D5479E6569302E809A807C2B4B274E4F1DA9817F414BFCD8E7E632982353F5F8
SHA-512:	339346F08E89BE8EF26999D09BDBF9E3B2F0A3EB4E347DAAE89916081370A0340FE46B667F6EC69C55844E7D5A75A4C416BF7CBB7A8D831B632C63F6DBBF85C4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jccpao32.dll

Download File

Process:	C:\Windows\SysWOW64\Nlaqhh32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862727956282507
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0SZB+BDq9J5SC:8qtV0HAr4lB+FqX5SC
MD5:	DC12F15A09098A45D978B92985857610
SHA1:	056BE9974BC8C87132BC05E2624B90BD88C3F5EB
SHA-256:	986A56C1DD28336DEF30F6B99C70CAEFFB32784AA7AF4E84C6689AA1142E24ED
SHA-512:	444684A733A1163D28E2991DEBCCAF965D341B05D8F0AE2B607878D1F2B9B748B2F672FB3D8CB3EA4C9F47715EFA84E30F1DCA4E5E58EF9EAA3AEFDD388754DA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jddqaf32.exe

Download File

Process:	C:\Windows\SysWOW64\Ikklipqi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.675664885109277
Encrypted:	false
SSDEEP:	3072:3z//eQChPnmSZ3ihJLIgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3yQClDZ3iHI1+fIyG5jZkCwi8r
MD5:	52F2625244F7597416A74A133B7029C5
SHA1:	4DD5B34CB735F7ED08AEEB139F291F55691A8CEA
SHA-256:	986F97B983734956BC9D6582D8F7C4C30B8D8A5A44DC12A4ACD2E11CE9EC557A
SHA-512:	DE910372C29647464E94167DFDEB76846528A7CC72E2DEE2310AF31FD022B57DEDBC7B52FBFD77314E11BAB48801B5EA18E02BFDBA2F54A591E59398DB21BDA4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jdhlnhlh.dll

Download File

Process:	C:\Windows\SysWOW64\Kkjhjn32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630889871580303
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0TB+BDq9J5SC:8qtV0HAr4yB+FqX5SC
MD5:	319847131DEF34C23BD523BE5CE51D83
SHA1:	0F3CB815EDCCEA2BD9FD45C6E916E246966953DB
SHA-256:	109821D82E61CBAA3F382582C08106455E658C80BCEE64297083A83982EE9D85
SHA-512:	80FA8B49686C2F14834081D50C11129A4021AF76D3A921F508E52A98D945D1C00CB88AB1B500AF9DAC507165FAD42A899460CA31A548B8D9A80F0B544C2449EA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jebgbcgg.dll

Download File

Process:	C:\Windows\SysWOW64\Mnodnfob.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8625813936501965
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0RB+BDq9J5SC:8qtV0HAr4IB+FqX5SC
MD5:	A851C8FA8FC4B78E77B0853824810EB8
SHA1:	7F8855BD5C0E05EEBA222D93CA66A2960187F593
SHA-256:	97DC0B1CB899AABA1887EB2696557B66483EFF54392D2F90760A38AD9E953A67
SHA-512:	FD9B183CA5D949641C7FD73E43E3BEE3D263DC291CE7A3E9AECF3678B4FAA610804A8FB2938096AD0DE5F5917E35CC6CE94C081A8590BD272AB56E10C5CAF3FD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jgdjcadj.exe

Download File

Process:	C:\Windows\SysWOW64\Jjqijmeq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6620262845151235
Encrypted:	false
SSDEEP:	3072:zgv0Rm7W7nugYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:cvrou1+fIyG5jZkCwi8r
MD5:	8186437E2CA451B45919F2179F00DD06
SHA1:	19C2586072B3AD2924F1C63168DCC7231281CC18
SHA-256:	AC0715A5D28979F4B75334CA395F19910D90BDAB5097041DB90E7110D0100D2E
SHA-512:	5A20F5A02972033B9B95590679849448A05012061B4D78ED28B17C4476CE2E5662D57973E63F955EE8D3ECD444BCB6AEFCA1DDD9C226155F54187F646EBAFF3C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jjqijmeq.exe

Download File

Process:	C:\Windows\SysWOW64\Jddqaf32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.654483104154973
Encrypted:	false
SSDEEP:	3072:EAGDEq/xQBpffqe8ELpwedGdIFgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:bGD1xQT2edmIF1+fIyG5jZkCwi8r
MD5:	2C9A4475BE131CCAC6871AE983CA72EA
SHA1:	0C875276CA4894044EB3FD19FDE190CFAABD7521
SHA-256:	3A01016D451645311B7F71A922B55CE19149D0130047F8960972D70A0A22FED9
SHA-512:	7E1CE06DD4203FEB2C65EE4DF4F7CFE10B15A0F5D75F5DAA73924C1F07346F25A965815F5088CF0B3C178298707EA1470034CBBCAD50B04874DDC393D509D0C9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jkbbioja.exe

Download File

Process:	C:\Windows\SysWOW64\Jqmnlf32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.650097829030835
Encrypted:	false
SSDEEP:	3072:C93WqZP4SkV5qJ1ZQiUYgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:CpWqh4F21mjY1+fIyG5jZkCwi8r
MD5:	3F9DFF15D79161B762641DEBC1DD1253
SHA1:	E801C8611BC6802C9034AF4339D88337B4D9B7BF
SHA-256:	75D4A2EB187C344FA404E12429CB1125D562C02608BC84CC22A6F67F3D68A0D0
SHA-512:	95A9AFC2A5263D94423340831CE86EE87B4FBE68CE983E5070494C33EB92A8255E4211BD1AD012484BFD8BD0339BB8FB92CA7D5430BAFB600D2CAEFE1079EDD5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jlihgcil.dll

Download File

Process:	C:\Windows\SysWOW64\Obbofa32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630964608957576
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0aB+BDq9J5SC:8qtV0HAr4fB+FqX5SC
MD5:	5B13B8F7880D0D6170C3C8FB6F0847FC
SHA1:	C006E1F04DBCDB215BDD81009CB52F3FC5C5CCFA
SHA-256:	BEC7F6786837E380C5BCD25565B20BF425D512567A14890BEF68593960174331
SHA-512:	F1912343717F15E1084B8DF9AC41DB03278236D86A67F36A7C5C40A1D6636DDB43D79707F94F3506E9B8F7DE3AC2D806BB1A0F74CC36A2476B39BE07F11BCD71
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jpjjpdfj.dll

Download File

Process:	C:\Windows\SysWOW64\Plbiofci.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8636657239517813
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0gB+BDq9J5SC:8qtV0HAr45B+FqX5SC
MD5:	E207C35CD54E83F21105ACE2E6FFD063
SHA1:	B12417BBF94F1FDAA792E800417255CB7C85D142
SHA-256:	FD4D97F084321F7BC293F593DA8779F8F5A203D9A8EF23E225634102C1C11850
SHA-512:	52B7EAB89BA1A6EB67014DAD7DF98CE3BC3DE2F954BFF8795B169FF089CADA7C352F9437204410277A5F24497355FBEC7029B5F7D615F3D2E4E4DF8329CE647D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jqmnlf32.exe

Download File

Process:	C:\Windows\SysWOW64\Jgdjcadj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.691196347847016
Encrypted:	false
SSDEEP:	3072:UBn+4+ACdQ70rGlzgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:AnR+AoM0Yz1+fIyG5jZkCwi8r
MD5:	92CFBCE6CFD5AA8DC54EE9ECA05DC000
SHA1:	316B18F39CB780464C9D31FDF76F4EA7DDB77620
SHA-256:	44F385EDA7754BA89E6B8A4EEBB14D8EBDCABC8607EAFBB9CFF2751D71C888CB
SHA-512:	D0F4400E83F3102548B5E3899FE16451DD124A838AE0EBA565218D00A2D04B234F16247B56F51FE8DA2C3198A9F347E4DD803514A5384F48771E5351270FDD7C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Khbbobom.exe

Download File

Process:	C:\Windows\SysWOW64\Khnicb32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.683239993491153
Encrypted:	false
SSDEEP:	3072:O0BNpLZwhgUJNRgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:FnqR1+fIyG5jZkCwi8r
MD5:	D5D0C07DEEC73A95DC48372F44B81AC8
SHA1:	E2673C1F5E7DCE1316EF23507E8EC8DF0ADF7B72
SHA-256:	2D98B4EB3AF830B04F2FFB42C8A69E103B2BF95F4F5885A5E560C01F97104542
SHA-512:	4B08E2EC621C1A1AF27C33D4377A0AF22A37CC601E39EC59F6B70CB279018DB02E2E68C6E982D15E8F9D344CD9EB2548EEC70C84D6A796A62FF6072EA2A87103
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Khnicb32.exe

Download File

Process:	C:\Windows\SysWOW64\Kkjhjn32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.684326015488438
Encrypted:	false
SSDEEP:	3072:DvlR1SP1RsQgJME0W9ZT2gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:DvT1521+fIyG5jZkCwi8r
MD5:	F2D6F9BC64756AD880683220BDD89B61
SHA1:	3A08FDD6E28EE51AF4F596EDFC165407AB5EB1E0
SHA-256:	284494988F7184736C2F61184C3405573E84960FE666F737E1922BDF8B3FCEF8
SHA-512:	0C278EE56622C48C29AAB298F687D0C5CBA75B2760CC7B7A7182C93373C276E75F0AE11529833C32D84F3D0FFEFC2AAD6AE1325FF0C335435A6FB70FEF096922
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kjjlpk32.exe

Download File

Process:	C:\Windows\SysWOW64\Jbogli32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.670871663500443
Encrypted:	false
SSDEEP:	3072:MRxF8RCqB6O8WqgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:MRT8IqPq1+fIyG5jZkCwi8r
MD5:	51E61062139BE553220506C4BC182CD4
SHA1:	45C813BB25D73CC63FC80901F7C2C11513D5A976
SHA-256:	8F691B808D3694F55C7EC1CFFE2BA4BF587546C7715589BA9FD09987EB43615F
SHA-512:	99C815D7277C83E785335C38AABB1AD465420EA9164E75A92B2A2BF49F47BC8A8537E4815BF9717DC82B8794E1A5A608C68F5B09CD31DB3DC3D0DBB7AF68D5CE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kkjhjn32.exe

Download File

Process:	C:\Windows\SysWOW64\Kjjlpk32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.655487056251249
Encrypted:	false
SSDEEP:	3072:kCNnw59MHKGJmA2/UiIgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:vNnK9Mf/iI1+fIyG5jZkCwi8r
MD5:	A7516A7869FFE0EC2C66E2A7A0B02444
SHA1:	31F5BF2CB8640C46C27015D0ABB575FF5C071357
SHA-256:	9F31AB862F4CFF4395A50CB7A3E2D2DEC251ED86C62DA4C58B5755C4AA646A87
SHA-512:	486E36C3A10D60C87F1EE47BE83695AABEFB08FAC1F988637CD0F78C640CD4855A5EF89CC37D33AA4774EBB8C540198963771B6A74F5A68BC6DAB7891D413091
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Lbmcmgck.exe

Download File

Process:	C:\Windows\SysWOW64\Khbbobom.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.672489185076223
Encrypted:	false
SSDEEP:	3072:wTsf7Tr6FhB4GghHlpL5/wrgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:wTsf2Fr4GghHLL54r1+fIyG5jZkCwi8r
MD5:	AF4FF01A204CD902288202DED8E23A38
SHA1:	2AD58E89CF2E5E5D54042713FF5431A677E022CB
SHA-256:	2491F7FE132393DED1FFFEA0D6591F152221E266DB5F721508708F429E3EF107
SHA-512:	BCBCE9B436D13B038E2A1AD126960FF7BD449BCCB82FE0F859BE2CDF47E9F0686A51AE2D67BD5B9301FE7ABE8B2B6B08800B6710F33F9F0B28243815D85694F6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ledhoq32.dll

Download File

Process:	C:\Windows\SysWOW64\Mndmif32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8625903899397525
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0xB+BDq9J5SC:8qtV0HAr48B+FqX5SC
MD5:	268A5B1FAF5E26F274F3682CF208A86B
SHA1:	D6D320B2FAC4A3E35FC11DF562ECBA4EF079EFF7
SHA-256:	60BF926CCB903CC5AE78B7B6A04E8E4ED9AF277D5F8A45476E217AF173CB8112
SHA-512:	9F09E59C2A6DAE8668F7F21FB02E5D7D9CEB6F0E4837B79DA4FA817ACD012D2BE382CF323471DF6B0F5683A9E59BB97CC85A023006E84C387FEB73C625FBF8C4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Lgqbfmlj.exe

Download File

Process:	C:\Windows\SysWOW64\Lileeqgb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.652996636779409
Encrypted:	false
SSDEEP:	3072:LzzmAbfN97BQ1gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:rmAbfNI11+fIyG5jZkCwi8r
MD5:	274BC707BAF2708F03F6380BBB2C14E4
SHA1:	55D4D838C667558D9BDC50C0AFE15055615AE883
SHA-256:	D72E936042B5AC9BD704BED987A58408146243113268C65DA2F327BE95E7172D
SHA-512:	8B55F5B9366AE2D0CF1A28F67BAE23D2C459FADFE55E21D4B978202AA96D658A2C751E2D083B15A38751FBB33A1C2ECBB72CC862DBBD14EE1D65BBB9FFA3EEA0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Lileeqgb.exe

Download File

Process:	C:\Windows\SysWOW64\Lqbqnc32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.669111055861105
Encrypted:	false
SSDEEP:	3072:2V1RxoCvG560ss3bXgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:2TvG5pss371+fIyG5jZkCwi8r
MD5:	7F4D403B3A930EAA5CCF08F8F1FA92BC
SHA1:	63A24A070F76B58D58B44313AB0E4C6FFB04494D
SHA-256:	92DEE03BB31A045D2D541E83F6C4F1E3D3AE48AF85339D733131801E59144239
SHA-512:	330055985DD83BB431E4E5B9F24457C33F9E9E45065EFF41A01079D3464014E21A682C03CCCB8A04745B521C69F0371E84DF6995F889CDB6AEC073E380032ABC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Lqbqnc32.exe

Download File

Process:	C:\Windows\SysWOW64\Lbmcmgck.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.68683530895315
Encrypted:	false
SSDEEP:	3072:IXaCTX1yYsAdyLvqdMLgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:IKJIGL1+fIyG5jZkCwi8r
MD5:	FD3AF1AA7CF7E783321048E4FFC396A3
SHA1:	DE89DB8606EC0302E5CD829350FC4AC50807A7C6
SHA-256:	AB8C18042535B6938CD66CFAC850F11073F8C0A5031440D404396AD1B0584A0B
SHA-512:	B09EE52EA5FA7F66504ED41E6356CAD2D5A8E486BD8DF99E6FD7640B2A5094D7CA3EA6B8C33BC1EDD39FF358511C660BEFE92E39CD8590604BFDA089304F454E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Maefjq32.exe

Download File

Process:	C:\Windows\SysWOW64\Mhlaakam.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.672546303659461
Encrypted:	false
SSDEEP:	3072:Hk/dGbU//QgxRgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:HkdGwwgxR1+fIyG5jZkCwi8r
MD5:	28CC60C41EDF66DC2FECC77632BA2A0E
SHA1:	732A06AC6FA9471FBA4D7631E802AC347838D8CB
SHA-256:	649A887EC1708B6F2569A6D05E442844E8AC35B72A06B26D1BB39E405CB3B66D
SHA-512:	631216F8D27B770F17F5BC6638D94B9FA47CC39D8FFFD3A6EF02AFF574576DFB42BEAE7E4D8BA039484BF761BBAA45BC4729C6CA557369FE29A4B76986D8D2FC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mapmoalc.exe

Download File

Process:	C:\Windows\SysWOW64\Mnodnfob.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.650137783425623
Encrypted:	false
SSDEEP:	3072:+RW8PNYyM48IzPgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:d81YD4LzP1+fIyG5jZkCwi8r
MD5:	78C3B2396D3A3315BC238EC41BCEC25B
SHA1:	56ABE8C72F34B36568A91966770B1A31772D8B8C
SHA-256:	13288ED807D17295EF1264D1EE13BD0F85EEF3A2848F4C7429BE8CD825685D91
SHA-512:	7013F9187F627C1321787632AF1026FC5B8C1E532D32586628C77B83E032DA5916AF37C65142DA86422E2B5102A7DCF2E0D62AC07E6D9EB5300654414A709592
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mbiciein.exe

Download File

Process:	C:\Windows\SysWOW64\Lgqbfmlj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.679214809855937
Encrypted:	false
SSDEEP:	3072:/dsxNOvxFXmNpxc2xkgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:/axNOp4Np/xk1+fIyG5jZkCwi8r
MD5:	E472CC27576F19571E64776E28F7DDB1
SHA1:	7BDA7378BDD181814F0A203E2648C216F8768347
SHA-256:	029C560B28F6041489F81D4D3AA067027E4D290C554BD3FFC251376F00CFD06E
SHA-512:	1603EC37957B04E3BF20B47CC24A1EB2E75A5491373A02FCE8D31A0331370E169E7CBBBB244462EF765C438B700476B3ECDDC5335B93037FD9E74E275BA22AD3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mhlaakam.exe

Download File

Process:	C:\Windows\SysWOW64\Mndmif32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6579880937172895
Encrypted:	false
SSDEEP:	3072:RQVUDcGlwI3QZKvgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:eVUDcGWIAKv1+fIyG5jZkCwi8r
MD5:	7BCEC97A05D4FF32C52BDF14A4C9A277
SHA1:	922B0B12F09A19361E706FAA9875DC7DEA516697
SHA-256:	B0CED86276937A874BDFA33DFE7DAE5185F96F185316BE4A395C4078C0051AF9
SHA-512:	963631391F6A0135C4599F9953A086D0A1C1C900EA0E1B8460F74FDD67E3B8D7DFF58D11A26F09625F391C682C13CE76EF2689AB44C5F5D3A3B88A430D53F324
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mmppcahg.dll

Download File

Process:	C:\Windows\SysWOW64\Mapmoalc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8628421958667545
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0bB+BDq9J5SC:8qtV0HAr4+B+FqX5SC
MD5:	9080267E2358B6C9285FD59F677D52C4
SHA1:	2B0D0A421087D9283A68BB7867D7682A1496B65E
SHA-256:	FF44D164B010E198E41505E5930A82178EBADA755F7CCAED68794C6540CB861E
SHA-512:	5FFFB1F44400480D9315E6327AECF405129929301620A67826A6C57CF50EE4AA78BF74C187765BAA0771AA5FB5B677D7C7A3D8BD3267221198C16F2D3AA1A86F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mndmif32.exe

Download File

Process:	C:\Windows\SysWOW64\Mapmoalc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.674396012393234
Encrypted:	false
SSDEEP:	6144:jWxVpthFZdR1JNBl59xVpthFZdRNBl59pthFZdR1Jl59xVpthFZdR1JNBl5azeIA:jWxVpthFZdR1JNBl59xVpthFZdRNBl5l
MD5:	A7BBB89E20C7F6C459957260066705AB
SHA1:	06EE36C87CC39AB3D49F802726FFCE175AA8D618
SHA-256:	61F752BB4E7C9B6532E9F238ABEAB1212026212B9DEBD9DD7EABF1AFCD75265E
SHA-512:	1C04E23285645B195F9B906DBA0BC1A6193E8B5BB5E2642C45D5D54E6EBC06556DF5248CC4D3FB05FF71074670BEC68842035ACE3D1793817F38A8FECD5BCB2C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mnjfhgoc.dll

Download File

Process:	C:\Windows\SysWOW64\Ooipkb32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862989560313597
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0zB+BDq9J5SC:8qtV0HAr4aB+FqX5SC
MD5:	5108A3EF34AF6EAD2FA8D4B58ABA4C72
SHA1:	A00CAC8EC244CEDDFD4AC95018777646EDF52C0C
SHA-256:	01008C938A48C1B0563F451C08F1A270DDB18BC65B925F178C8F0EE55160B3CC
SHA-512:	B28D851D0CA4B83C7A5ED8E70A59F1181CB868B755F4D959D31528867F922933791734CB038A8FC5F66FD81C5FE93A164C1EF5D6EBE2012056DAC40CE8104D18
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mnodnfob.exe

Download File

Process:	C:\Windows\SysWOW64\Mbiciein.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.68104918677772
Encrypted:	false
SSDEEP:	3072:nO0qhKOGEy1RgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:nDqq1R1+fIyG5jZkCwi8r
MD5:	24C03AE87E6F88E042305ACE5C56BAA9
SHA1:	3711DAD42FEF7D361E8D65D8D3902E8224D7F2F7
SHA-256:	551C497A4ACB28A77EB55F730F63B64233AFB6EFD9ABABB0DFADA6A924DC34B2
SHA-512:	C6F5C507E86B894513CE51633F5A275E996F7F57F75A2E04B848CD00CC63503F113BDD29125B0374A4C7D727C933CAE87795915D4A3717A1820A759F7D212D53
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Moqmapgi.dll

Download File

Process:	C:\Windows\SysWOW64\Lbmcmgck.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863946297628897
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0RB+BDq9J5SC:8qtV0HAr4wB+FqX5SC
MD5:	0BE7761B8A8F525D799F56B6BD7537FC
SHA1:	91BBADB6AA7C8B16EBFA0859E017F836AB52E105
SHA-256:	7D084BFF93E3A8E354EF31BA1D37DDA1885DE627BBEBF926EBE8E33DD0B3FEF9
SHA-512:	57740C4DCC059D3621EB76BE9135033E7C287DEC557725B2C9863DA64A59C08D85FDF61AA9D722E377CACCC730062D0EC6E8943AD3310980E6E09920EEBE1ACC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Naipepdh.exe

Download File

Process:	C:\Windows\SysWOW64\Nbdbdc32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.679218218989879
Encrypted:	false
SSDEEP:	3072:xeVeDWaa3eZ1PqJpwXDgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:yreZ0Jmz1+fIyG5jZkCwi8r
MD5:	B3290E1E908A171DF3EFE9142B1A7D4D
SHA1:	AD218CA0270479B382473A49B9BD276AA35856A1
SHA-256:	97112AF9DEDBD84649708FC6616577FD1BE0CBF60CE98D9A165D55DABDC47E66
SHA-512:	1E3738AAD7C1A54298BAF9B7F1A693EC823AE61C167C3BC23A3BA82F44B80B6007954B84694B341004263AC0D5FAF7D7BF484E95A413F94D3639291D713B0A1C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nbdbdc32.exe

Download File

Process:	C:\Windows\SysWOW64\Maefjq32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.67560709618571
Encrypted:	false
SSDEEP:	3072:5T/ucfktuyuF/hZii8gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:5n8tuBF/r981+fIyG5jZkCwi8r
MD5:	C95E1B71474A4BA569CC5C2D609717E2
SHA1:	10E29A4853132DCC6322351A1AC950CC178210CE
SHA-256:	7983904B148771AA68813D0991D7C95FF9BEBF31EF0AC0EB14351EF63740BFE5
SHA-512:	A1A3DDD08DCBD5AB9D0925E2E30B88452D9C79C99A4CABAD76255FA158D598F96DC8C2B68B20FA64030D57DEA4B54B23D5FF1A93596DC2E52EA99BC4B34D1B10
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ndbcmg32.dll

Download File

Process:	C:\Windows\SysWOW64\Pklpkb32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8622996615759035
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0yB+BDq9J5SC:8qtV0HAr4HB+FqX5SC
MD5:	EB4F9F9F84AE39A5B6D4A358B9D33528
SHA1:	8FEBB98C7D818E3813A3882166B5333287E83555
SHA-256:	E3F0C9E0D475700B2B465998A6F3495CCF4DDD81F34CD1BA4084E327B9BC0682
SHA-512:	80EEC348476A4EB48FE151E07796AB537911685B0B55A4403D5A2DAB3701BBDDFF66F11E260CA1561CECC13FB7D91387CEEDBAFFCA9B696F3124583A45673B36
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nghjeepc.dll

Download File

Process:	C:\Windows\SysWOW64\Olmpdg32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862772617138474
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0hsB+BDq9J5SC:8qtV0HAr40sB+FqX5SC
MD5:	107EB41926B3C434318128BF56394883
SHA1:	7A46C3AB7035BE90718BC70CDC3C8E29C11B9740
SHA-256:	B6C8BE5FEBFE7A657FC68D301B0C62999D12EB498DD6352EEB0C1CD93BF7386A
SHA-512:	8B18F250BD9F9FF3D675978A4C16800D2129FE111E2F3D760FD3D13CFA956072A15B9B64413203CE71E4A3ADF1C99C16DF2802FAE4E370CEF83A666040E4143C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Njfmiegc.exe

Download File

Process:	C:\Windows\SysWOW64\Nlaqhh32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6812415672477385
Encrypted:	false
SSDEEP:	3072:CSUDfWPNJ517CE7+rAVsjgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:f/PJsj1+fIyG5jZkCwi8r
MD5:	82549D32B9E9F17AB1FFF87D5D49893C
SHA1:	69F5B43B6DD4BCBDFFDBBB5DBA0ECC52BB34F943
SHA-256:	7A054BA672162845E755B1CC944553E60A9F030FA404A49701BDA35C49CD048E
SHA-512:	EDAE15491257539C5F347C2D126D9B69EFE1C675360CA0B849BC861C4B3E9E92E0B98B25FCD21D9E6164EB9E7BA008364133D8B645A052A69B0C0215A192D78E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nlaqhh32.exe

Download File

Process:	C:\Windows\SysWOW64\Nnmpodcb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6787891868806915
Encrypted:	false
SSDEEP:	3072:y7+Rw7n8h7aO4tC2JhgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:yKR9hQBh1+fIyG5jZkCwi8r
MD5:	EE8F87788EF191C005E39679D12A159B
SHA1:	3ECF3A75A66794490937E680ADAC361A0E3884F3
SHA-256:	B01E33A97C717ED646ABA00692D37E8E30F164092B2466E39A1ECE4CF0E7CDFE
SHA-512:	AD89A1C4A7163F28806CA3B79165D15280898D8B3FA137B6D11038B6FC8E111B13CD8C5442A8E7B83E3EBFA4F33EB5BC6356DEF28520D2BC8E29DEF8E01C6069
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nnmpodcb.exe

Download File

Process:	C:\Windows\SysWOW64\Naipepdh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6792504693837795
Encrypted:	false
SSDEEP:	3072:XhV8NCFB+D7+9XVgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XTfFq+9XV1+fIyG5jZkCwi8r
MD5:	BDB5BC4D6CFB1A2D93ABBE958681F615
SHA1:	491A00D0A4FA61FB9949E6F02179A36EF3418AA1
SHA-256:	5156BE2B57F104618F289414CD80611484A7E5E6EC351AA06CD4C739D2EAA1A1
SHA-512:	EBBD1496FFCFC4DDA935534051EA7F634AC1442EC71584EFD670B3C3B6E76E0F613B2FF2E5E1B680A87A5C775E1E23E943D00788B89EA3F5F4649A3EA97A6CE4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Obbofa32.exe

Download File

Process:	C:\Windows\SysWOW64\Oihnglob.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.66088909295655
Encrypted:	false
SSDEEP:	3072:HP6kd3eUFCugMBgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:vd3zFV3B1+fIyG5jZkCwi8r
MD5:	046CF0C6D652D63EF01DEA04915EEA1B
SHA1:	EE6A150101CAA76AFE59865EF33D56FA06128344
SHA-256:	DC33E82EFCA33C7AA3158ED19037BE1B5530DEAFEA38AEB91E45E36EB93F6FB1
SHA-512:	7F552E07498A6EACB818CBD6E39637D9A375A156024FC9E345DE1169A8466A0A0BEB66664E90254A8B6D81EAF05E1513A93ED527E3A653E0E015980905E35B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ocnhkj32.dll

Download File

Process:	C:\Windows\SysWOW64\Poeofa32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8628378535727332
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0sB+BDq9J5SC:8qtV0HAr4RB+FqX5SC
MD5:	FC054AA8C365D0CF6907DDBFC72FA725
SHA1:	35CDF6089A765E7D78653EEC89DB7FB281853615
SHA-256:	97280002968010AE7930BA04AF4ED721DB669DB80731436254C123AEE805819F
SHA-512:	61084611CF89397B7DBE36BE3D4A5A5D53E30B92E8537F7E279B6784C78CEB8C2CCC3A9958321703A64128FFBFC4246E07E810939DF1F848D9F159618469731B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Oelbhifg.dll

Download File

Process:	C:\Windows\SysWOW64\Lgqbfmlj.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862556591775607
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0zB+BDq9J5SC:8qtV0HAr4aB+FqX5SC
MD5:	CBBBBA2A9391969F90EEC2EC6729F0BC
SHA1:	2EE14E76994A1E120E64319AF7D1AAB559E98ED3
SHA-256:	531EA6CE5260FB6AAC3FD8AAAE237890B2A5CE2D6009E03509D71A776B3D5A42
SHA-512:	9B399E935D30DD2A6098DC58B69CA82C69ED24C3A092FF1AACAE75993BD6B871CA2D7148EED0AC7410990E1ACBB4E50EBCCB1D825AC493A9CF7E65A4029549BB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Oihnglob.exe

Download File

Process:	C:\Windows\SysWOW64\Njfmiegc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.670371250002951
Encrypted:	false
SSDEEP:	3072:RqvGK+jRrME91EbgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:8BcRouEb1+fIyG5jZkCwi8r
MD5:	4D796F85EF73E2F666C65C8C7E7A7A49
SHA1:	3F8D0F7CA80E6815A8EB0987C8DAC9A699F3AE04
SHA-256:	923696466EC820F2D8B6E3B7E5B3D77F53A16F2E6F8C7D864461B78A6E0DA7E7
SHA-512:	019F436D7205D66F45A80CF17032D40D9D4BB424B71915321AADBB0CD19A6FE5F768E74092F2FFBBC3785A0A4EFBBCB97F2F2C987272070C6072FB95B0B9B2F4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ojkfapce.dll

Download File

Process:	C:\Windows\SysWOW64\Ikgcna32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863016223065048
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0oB+BDq9J5SC:8qtV0HAr4ZB+FqX5SC
MD5:	B3348389A5A2A2203E7AF75F54326576
SHA1:	71116250F7B95C4F314A1736EA7DAE8DE49FF01E
SHA-256:	66B5EEF421E78B93F39F4353392DB7587C1ED2705D7570B1B76D456991FBDE00
SHA-512:	746B8F2F3E9158835AA87DFA279C134F924B485434C27B3E283FA1D6D3CE86214BE2FD5F1F1F2E3F148A6B325356D475061E091C1717A14F3226C78E05F9D4C7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Olmpdg32.exe

Download File

Process:	C:\Windows\SysWOW64\Ooipkb32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.651686819463
Encrypted:	false
SSDEEP:	3072:xTOEj0vT5Ca0WplsnpgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:xTO9b8a08lGp1+fIyG5jZkCwi8r
MD5:	8B926717C5CB2963272DB3B1996639FE
SHA1:	7E3D1BEFEC1B56ED6322977B3587F2B9CB589E84
SHA-256:	A37C1A6D9BF018F8FD5CAC596E25C2B9A2EAEEC4977FFB94BE664A3E4B5E3BD4
SHA-512:	233A2768EB0FBDA1E2FDEE82ACF3CD967250F0CA02B31B7544571E0E1F9CAECF267343F8B9BBC9BF70C8C2E04996CAB9810B11FEE36E029BA1236CDD65EE49F4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Olpmjffk.exe

Download File

Process:	C:\Windows\SysWOW64\Olmpdg32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.665674886470882
Encrypted:	false
SSDEEP:	3072:+WB1KeUtQPik8fvMygYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:hPKtQPikKvMy1+fIyG5jZkCwi8r
MD5:	E5A628E6A49213BA55FBC416E1248381
SHA1:	73A4AAC847526A83F1F357915127E295F5F70E06
SHA-256:	82F0A5142C787B694E37855CB21734FAC7163D479BB405A6C6888223E8A9DFFF
SHA-512:	DBC08FC98A760C316F1798097AF250BFB020540F6A68AB8CCE741C767ED38C8589B72F40BA44FF9499F1F5704F3CB58318B0D0BB3A12716D21BB265371011121
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Omfmbkgb.dll

Download File

Process:	C:\Windows\SysWOW64\Peadik32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862458934664124
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0iB+BDq9J5SC:8qtV0HAr4DB+FqX5SC
MD5:	59785DC4A78F98337608CC82E33BF58F
SHA1:	0025CA39CEE77528000F3149BF972097008CAACD
SHA-256:	17949A84E6B21C833F1417896748C92A2257AEEA6FDA4F55A134ADA99613EEC7
SHA-512:	438D9B9B43F31A359B15F2268D1AD58A8E9FF7A9036A9DBD3004504420B26DFFE3C25A9033D3311BBC44F0859C9C301A1CA4C9FBD30D095D6DA54C64948AC575
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ooipkb32.exe

Download File

Process:	C:\Windows\SysWOW64\Obbofa32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.640683607096934
Encrypted:	false
SSDEEP:	3072:mxxNS5VfkPosgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:mn0fMos1+fIyG5jZkCwi8r
MD5:	DFAC4E8D9942591C0ED22E230D6A03A7
SHA1:	805C2A942BB03C71B2B55B154B74F9A28B2B485D
SHA-256:	6599BE5332E53C1AA2F3A319E19F45ACF0F372A60577E72CFA46662696680013
SHA-512:	44D59E34ABDF4B288002419D21B70CF01B9647697BF2F853E7CBBA561185F0D3FDD49EA7F38F05ABA9B00F7EE91E0166AB300DD19438A586BFB124D3D62FCE83
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Peadik32.exe

Download File

Process:	C:\Windows\SysWOW64\Pklpkb32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.670483276661957
Encrypted:	false
SSDEEP:	3072:H7y+/E5CGXCyhgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:G+/qCFyh1+fIyG5jZkCwi8r
MD5:	65FE7DE016AAB6B76E0376FA9C1F7C4C
SHA1:	BBEA648EAF9B7C03B85D4F37AF4A566122D314C7
SHA-256:	DDF8DAA22D84D5B045F18CEC054A4A93830ACA5237DC401DB19E37230E08D352
SHA-512:	73A4381BA731C6A6DEABEDDD3FDC34AACC8327C4F4F49819C1F9D726F0386A62A4E9A8C5B5EA056140D352C8A2B677A454A620855F2B80205869A46027365651
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pkdiefem.dll

Download File

Process:	C:\Windows\SysWOW64\Ipfhkgac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8634332417895365
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0hB+BDq9J5SC:8qtV0HAr4IB+FqX5SC
MD5:	1151F2DB8BCD0D372FC1D4CF7C97D792
SHA1:	262D694F48A1131B805D9F802FCAB4DFB64953FA
SHA-256:	9819EDC058CDD8AF35669701E1C2EB157C4A30D1A9287EE184CF9F4E6A55223C
SHA-512:	E3C7BDC2537C700A22794431D76622B8419056F104CC5C93B7DD414BBBEAC31153D783CFA2AC93639557858273D3E5C5F14766343B5202142E9F5587ADC8CE15
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pkgfpbhq.exe

Download File

Process:	C:\Windows\SysWOW64\Plbiofci.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.671948585524528
Encrypted:	false
SSDEEP:	3072:B/QEzL8RMk39GPgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:B/BHHP1+fIyG5jZkCwi8r
MD5:	602D0C607533FBFB5C861134DB2AD084
SHA1:	02F88D387A87F4A0466F36CDBF3C4071C5FEF456
SHA-256:	593AB18041181365AA80C352483D44B13CF49F13C21DFE016211B6321C3B4872
SHA-512:	98393E0398A050C12EE58C9F85EA7549FD101EA8A32D03D72E5DCC8DCBB141F1FCA5A86D0DBFDA6C4D2123FB56B28B7E3D64D23585CEBFF433AFD35B5BCBDF3C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pklpkb32.exe

Download File

Process:	C:\Windows\SysWOW64\Poeofa32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.680353141827424
Encrypted:	false
SSDEEP:	3072:BBSTLeaPkT53gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XS3Z631+fIyG5jZkCwi8r
MD5:	FD1402ECAB55A284004F6CEF8BAE66C4
SHA1:	0633914599A1B1D76B839E1F7DB19E3E91503AB6
SHA-256:	846774E8664BD3AB083A2627269C90EC24C7662DD5A595F03E9FEDAE442F98E1
SHA-512:	B56BD6E8C4E6BD0853A4A928BF096FDA18C139FF768CC1527E3C2FD6FE0AC211D6A26B515FDC059C9E65D6210179C1BE8A803A6BBF3D9763C4E1BD284A4CA06E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Plbiofci.exe

Download File

Process:	C:\Windows\SysWOW64\Olpmjffk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.671424918696807
Encrypted:	false
SSDEEP:	3072:4KcPQoU2/+fifsgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:4Kc4NiU1+fIyG5jZkCwi8r
MD5:	46E652A4455D1CDBCFAF72579A1D51DF
SHA1:	C7A8C7F0DDEA75626A282157160BB0043706DC83
SHA-256:	D99C47E03EADB08A82590D4D4DBD8895ECB65324FF25010D626A962D8B7ED1EE
SHA-512:	D681A917CED3120A8EFD3C6D7BE602B8C7778DF8EDA3C57F1A20A04D35865FCF5D4A4CF087FF801920707B0D5EE5B2CD9171B79C5E03AF91BE0209637F52D9B5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pmallabk.dll

Download File

Process:	C:\Windows\SysWOW64\Lileeqgb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8636152850781524
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0MB+BDq9J5SC:8qtV0HAr4VB+FqX5SC
MD5:	A2E20B613828D25B913FFE952A45B3F4
SHA1:	174FF1C9607979793390AE596D7C5CC81A6E0354
SHA-256:	64C652D06C74783FF00F21B92E12B5A06F9F0C24C87DA24299FA9F330385CA7C
SHA-512:	082D4CA90834EE4A80DB1E27AB5787D9E6B39225A9284CFC9EA91012D632E6F3123D8E506C74516DA2B689F8C5040C382D8B8D34BFED9F1AAB35D7A0E0837EA4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pnnifl32.dll

Download File

Process:	C:\Windows\SysWOW64\Nnmpodcb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8633799019706396
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0MB+BDq9J5SC:8qtV0HAr4RB+FqX5SC
MD5:	C47C0D3F24714E5B9B1358DEC7E144D4
SHA1:	C25776E210461455DB74D79F26E6513B0E01A8D1
SHA-256:	11E4D1C2CB323A7A283D044151E63B232B720628C03C6C8F48651CB601F79DEA
SHA-512:	0E9475AEC6C2E49B9218CF433EA6355F4F4F5F1684498F7EEB5AA5AF5230E844FD29A7194C5048462025E8C9C28A32B8F237FF288817DF1A2DC136DFED5CACF1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Poeofa32.exe

Download File

Process:	C:\Windows\SysWOW64\Pkgfpbhq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.692996518617964
Encrypted:	false
SSDEEP:	3072:eO3ffGsfjGqgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:H3ffGzq1+fIyG5jZkCwi8r
MD5:	55763FED85DBD88A0F7A8C5303620C72
SHA1:	1A70DB5DFBC8225AF03F2D83B80E5DA5891BC2C1
SHA-256:	2F0A91E936FAB4C20F866DDC625D06C2B2A2B1919349117D41D2414551E951F9
SHA-512:	1CE1A22A58DEDC7D1533B20FFE91B17D50CA3BBDF324B76D1726462E491EF750CBACFED19889765A5CEDB1BFE81FE51A8EDCA6FF90545063E1C02C84284C7265
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pojhapkb.exe

Download File

Process:	C:\Windows\SysWOW64\Peadik32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.645612626546066
Encrypted:	false
SSDEEP:	3072:UKe4KAOKRt2dMgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:/KAOiaM1+fIyG5jZkCwi8r
MD5:	4BC77BBA2E783C2CE66CF4AC2D0C5F07
SHA1:	D49F2E8285A3FAD23BFF8E77D8448F269F1A072E
SHA-256:	2634D0240337F7D2B2C807E8B2D8B09BA2ACECF92978C5D36F4AECDC7764274F
SHA-512:	45F294F86DEAB440B7404BBB61C06CE5DEA23677347148C5E6C10FAF21A2F10F13E1CDC686DE81CC5ABDDDEF9EDED8FB8DCB2CAFCEE24C776CF1ABA1D6F2345B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pojhapkb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pojhapkb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pojhapkb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pojhapkb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pojhapkb.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ppgdmofd.dll

Download File

Process:	C:\Windows\SysWOW64\Jgdjcadj.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8635656732341594
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0gB+BDq9J5SC:8qtV0HAr4VB+FqX5SC
MD5:	555FE6E280FD358FED35596DB9E71BAF
SHA1:	AAC66B43B6FC060ECCD5C9EB98FC2A0DDAF5EF79
SHA-256:	1EDA6B9153D33CA225A8FD9629379958891C4327EECA8E844D05DBFBB1559CFE
SHA-512:	C1AEB39F6DD484D32BD414EFB82304CA5495F08D61E2ABAB4D079A24CE31AED5267E9A477F0A14329B8BB1863BF9E22CD4C5BF7C4CD640A8E1BC5BF1E246D470
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Qelfpmpj.dll

Download File

Process:	C:\Windows\SysWOW64\Idogffko.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630033440425766
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0yR9B+BDq9J5SC:8qtV0HAr4H9B+FqX5SC
MD5:	39D6D26B277F6ACF02C2F76DDBFA7C85
SHA1:	A45E31CF80B29D39B89DDDA1D56CB3A1BF19A6FF
SHA-256:	EA2673F7761369BE48D5FA36A1DF20E9736265D521002254AA572BD988D88534
SHA-512:	8F99BAB8DB351B7F5EE15FA5E514521189412A238437B14D1A32B9E15728EFDAC44D27C833670E8C94AFE371FBFD2A0C15605F1458A6334C5DD1CC510B9C5F16
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.658878868448483
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Xtks4KI16J.exe
File size:	346'052 bytes
MD5:	e7535a5bf45492fceb86529a7fc9262d
SHA1:	3794cd79ac81a757a3a5472425d636d09542bf82
SHA256:	f786169ec6bf76ccf3ae7e231f5721926d668e8162a3772adb4d60edf27ed4e7
SHA512:	d19ccb540b28a04bc15b69686a14603c2cabeb5308012e7af42ad05c264584849e10d030604306dfaff553ca292345e873b9a1cf9a1221c9024761c0cc4692ab
SSDEEP:	3072:3Sst4XV4aNygYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3r4XVJy1+fIyG5jZkCwi8r
TLSH:	2B74E7FB5DA25B1FC25F977988ABCAD06669C48F0C66C14225702CD9BA6F0823CF5D4C
File Content Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x430000
Entrypoint Section:	.fldo
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5DD70A7B [Thu Nov 21 22:06:51 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	0b36fc85e0cb5e337c80982db5210969

Entrypoint Preview

Instruction
pushad
nop
nop
nop
nop
nop
mov eax, 00401000h
nop
nop
mov ebx, 00408F6Ch
nop
mov ecx, 27C057DAh
nop
test eax, eax
nop
nop
nop
nop
nop
je 00007F6DB886B3BEh
nop
nop
nop
xor dword ptr [eax], ecx
nop
nop
nop
nop
nop
nop
nop
nop
inc eax
nop
nop
nop
nop
nop
inc eax
nop
nop
nop
inc eax
nop
nop
nop
nop
nop
inc eax
nop
nop
nop
nop
cmp eax, ebx
nop
nop
nop
nop
jne 00007F6DB886B36Ah
nop
nop
nop
mov eax, 0042B000h
nop
mov ebx, 0042E3D0h
nop
mov ecx, 2CFF3239h
test eax, eax
nop
nop
nop
nop
je 00007F6DB886B3AEh
nop
nop
nop
nop
nop
nop
xor dword ptr [eax], ecx
nop
nop
nop
nop
nop
add eax, 04h
nop
nop
cmp eax, ebx
nop
nop
nop
jne 00007F6DB886B37Dh
nop
nop
nop
nop
nop
nop
nop
popad
nop
jmp 00007F6DB883C51Fh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push eax
nop
nop
nop
nop
nop
mov eax, ecx
nop
nop
nop
nop
div edi
nop
nop
nop
nop
nop
nop
nop
xchg eax, ecx
nop
nop
nop
pop eax
nop
nop
nop
nop
nop
mov esi, 44A85974h
nop
xor dword ptr [eax], esi
nop
nop
nop
add eax, edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31000	0x1200	.l1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31498	0x70b	.l1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7f6c	0x7f6c	3b72247cc248675362273fdabb08df8b	False	0.6272838749233599	data	7.11901866962878	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x9000	0x213b0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2b000	0x33d0	0x33d0	2b29353f00fae5e0a11de1c932a4f7ae	False	0.4355398069963812	data	5.951744467021676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2f000	0xea4	0xea4	07503ec7be5c514cb3ab851e7b2fddc2	False	0.39567769477054426	data	5.152165428838902	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fldo	0x30000	0x1000	0x200	967733ccef30ee200816b3b6049f1dfb	False	0.279296875	data	2.257263010698836	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.l1	0x31000	0x1200	0x1200	02652d9b7d54cdf6d766c9051bdb61c4	False	0.3776041666666667	data	5.291781955696081	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ole32.DLL	CoCreateInstance, CLSIDFromString, CoInitialize, CoUninitialize
OLEAUT32.DLL	SysAllocString
WININET.DLL	DeleteUrlCacheEntry, FindFirstUrlCacheEntryA, FindNextUrlCacheEntryA
KERNEL32.DLL	ExitProcess, ExpandEnvironmentStringsA, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetExitCodeThread, GetFileSize, GetModuleFileNameA, GetModuleHandleA, CloseHandle, GetProcAddress, GetSystemDirectoryA, GetTempPathA, GetTickCount, GetVersion, GetVersionExA, GetWindowsDirectoryA, GlobalMemoryStatus, CopyFileA, InterlockedIncrement, IsBadReadPtr, IsBadWritePtr, LoadLibraryA, LocalAlloc, LocalFree, OpenMutexA, CreateFileA, ReadFile, RtlUnwind, SetFilePointer, CreateMutexA, Sleep, TerminateProcess, VirtualQuery, CreateProcessA, WaitForSingleObject, WideCharToMultiByte, WinExec, WriteFile, lstrlenA, lstrlenW, CreateThread, DeleteFileA
USER32.DLL	GetWindowTextA, GetWindowRect, FindWindowA, GetWindow, GetClassNameA, SetFocus, GetForegroundWindow, LoadCursorA, LoadIconA, SetTimer, RegisterClassA, MessageBoxA, GetMessageA, GetWindowLongA, SetWindowLongA, CreateDesktopA, SetThreadDesktop, GetThreadDesktop, TranslateMessage, DispatchMessageA, SendMessageA, PostQuitMessage, ShowWindow, CreateWindowExA, DestroyWindow, MoveWindow, DefWindowProcA, CallWindowProcA
GDI32.DLL	GetStockObject, SetBkColor, SetTextColor, CreateBrushIndirect, CreateFontA
ADVAPI32.DLL	GetUserNameA, RegCreateKeyExA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, GetSecurityInfo, SetSecurityInfo, SetEntriesInAclA
CRTDLL.DLL	__GetMainArgs, _sleep, _stricmp, atoi, exit, memcpy, memset, printf, raise, rand, signal, sprintf, srand, sscanf, strcat, strchr, strncmp, vsprintf
NTDLL.DLL	LdrUnloadDll

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Xtks4KI16J.exePID: 1620, Parent PID: 2580

General

Target ID:	0
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Users\user\Desktop\Xtks4KI16J.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Xtks4KI16J.exe"
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E7535A5BF45492FCEB86529A7FC9262D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.1667029266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.1667061193.0000000000508000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ikgcna32.exePID: 5228, Parent PID: 1620

General

Target ID:	1
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Ikgcna32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ikgcna32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	5BF78889FF869E37498DE5C9C505D3F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000003.1667291116.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000003.1667894302.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ikgcna32.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Idogffko.exePID: 4484, Parent PID: 5228

General

Target ID:	2
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Idogffko.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Idogffko.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	44B1D19D1F316401D07436026D0C8F93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000003.1668782636.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000003.1668815811.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Idogffko.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ipfhkgac.exePID: 3300, Parent PID: 4484

General

Target ID:	3
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Ipfhkgac.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ipfhkgac.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	4F2762AB1971305DCB7E62833EE29EC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000003.1669035615.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000003.1669512206.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ipfhkgac.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ikklipqi.exePID: 5824, Parent PID: 3300

General

Target ID:	4
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Ikklipqi.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ikklipqi.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	5F42235DCB8D9B0D74D8780DEDEF3DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000003.1669744969.0000000000606000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000003.1670200142.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ikklipqi.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jddqaf32.exePID: 4564, Parent PID: 5824

General

Target ID:	5
Start time:	03:48:33
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jddqaf32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jddqaf32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	52F2625244F7597416A74A133B7029C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000003.1671203618.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000003.1670457993.0000000000566000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jddqaf32.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jjqijmeq.exePID: 3632, Parent PID: 4564

General

Target ID:	6
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jjqijmeq.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jjqijmeq.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	2C9A4475BE131CCAC6871AE983CA72EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000003.1671436205.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000003.1671740347.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jjqijmeq.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jgdjcadj.exePID: 2596, Parent PID: 3632

General

Target ID:	7
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jgdjcadj.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jgdjcadj.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	8186437E2CA451B45919F2179F00DD06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000003.1672114191.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000003.1672430705.0000000000547000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jgdjcadj.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jqmnlf32.exePID: 6748, Parent PID: 2596

General

Target ID:	8
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jqmnlf32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jqmnlf32.exe
Imagebase:	0xb10000
File size:	346'052 bytes
MD5 hash:	92CFBCE6CFD5AA8DC54EE9ECA05DC000
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000003.1672819793.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000003.1673624988.00000000004A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jqmnlf32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jkbbioja.exePID: 4280, Parent PID: 6748

General

Target ID:	9
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jkbbioja.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jkbbioja.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	3F9DFF15D79161B762641DEBC1DD1253
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000003.1674880791.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000003.1674489593.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jkbbioja.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jbogli32.exePID: 6008, Parent PID: 4280

General

Target ID:	10
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Jbogli32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jbogli32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	954F234246B8674AD183FA10ACAF2457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000003.1676196679.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jbogli32.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Kjjlpk32.exePID: 6668, Parent PID: 6008

General

Target ID:	11
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Kjjlpk32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Kjjlpk32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	51E61062139BE553220506C4BC182CD4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000003.1676781348.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000003.1676450226.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kjjlpk32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Kkjhjn32.exePID: 7112, Parent PID: 6668

General

Target ID:	12
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Kkjhjn32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Kkjhjn32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	A7516A7869FFE0EC2C66E2A7A0B02444
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000003.1677476799.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000003.1678785309.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkjhjn32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Khnicb32.exePID: 7184, Parent PID: 7112

General

Target ID:	13
Start time:	03:48:34
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Khnicb32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Khnicb32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	F2D6F9BC64756AD880683220BDD89B61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000003.1679986428.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000003.1681569219.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Khnicb32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Khbbobom.exePID: 7200, Parent PID: 7184

General

Target ID:	14
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Khbbobom.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Khbbobom.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	D5D0C07DEEC73A95DC48372F44B81AC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000003.1681947520.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000003.1682561869.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Khbbobom.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Lbmcmgck.exePID: 7216, Parent PID: 7200

General

Target ID:	15
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Lbmcmgck.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Lbmcmgck.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	AF4FF01A204CD902288202DED8E23A38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000003.1683462189.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000003.1684599558.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lbmcmgck.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Lqbqnc32.exePID: 7232, Parent PID: 7216

General

Target ID:	16
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Lqbqnc32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Lqbqnc32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	FD3AF1AA7CF7E783321048E4FFC396A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000003.1684949314.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000003.1686155433.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lqbqnc32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Lileeqgb.exePID: 7248, Parent PID: 7232

General

Target ID:	17
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Lileeqgb.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Lileeqgb.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	7F4D403B3A930EAA5CCF08F8F1FA92BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000003.1687305020.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000003.1686405855.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lileeqgb.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Lgqbfmlj.exePID: 7264, Parent PID: 7248

General

Target ID:	18
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Lgqbfmlj.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Lgqbfmlj.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	274BC707BAF2708F03F6380BBB2C14E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000003.1688164672.0000000000766000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000003.1688636072.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Lgqbfmlj.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mbiciein.exePID: 7284, Parent PID: 7264

General

Target ID:	19
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Mbiciein.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mbiciein.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E472CC27576F19571E64776E28F7DDB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000013.00000002.1996078881.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000003.1690653470.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000003.1689381091.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mbiciein.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mnodnfob.exePID: 7300, Parent PID: 7284

General

Target ID:	20
Start time:	03:48:35
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Mnodnfob.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mnodnfob.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	24C03AE87E6F88E042305ACE5C56BAA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000014.00000002.1997305400.000000000042B000.00000004.00000001.01000000.00000017.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000003.1690898361.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000003.1691398102.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mnodnfob.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mapmoalc.exePID: 7320, Parent PID: 7300

General

Target ID:	21
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Mapmoalc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mapmoalc.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	78C3B2396D3A3315BC238EC41BCEC25B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000003.1692151763.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000015.00000002.1997873391.000000000042B000.00000004.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000003.1691808934.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mapmoalc.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mndmif32.exePID: 7336, Parent PID: 7320

General

Target ID:	22
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Mndmif32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mndmif32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	A7BBB89E20C7F6C459957260066705AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000003.1693116752.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000016.00000002.1998585566.000000000042B000.00000004.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000003.1693082181.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mndmif32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mhlaakam.exePID: 7352, Parent PID: 7336

General

Target ID:	23
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Mhlaakam.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mhlaakam.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	7BCEC97A05D4FF32C52BDF14A4C9A277
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000003.1694286330.0000000000498000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000003.1694223714.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000017.00000002.1999586381.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mhlaakam.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Maefjq32.exePID: 7368, Parent PID: 7352

General

Target ID:	24
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Maefjq32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Maefjq32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	28CC60C41EDF66DC2FECC77632BA2A0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000018.00000002.2001051775.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000018.00000003.1694510887.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000018.00000003.1695645633.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Maefjq32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nbdbdc32.exePID: 7384, Parent PID: 7368

General

Target ID:	25
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Nbdbdc32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nbdbdc32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	C95E1B71474A4BA569CC5C2D609717E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000003.1695959573.0000000000746000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000019.00000002.2002193178.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000003.1696422787.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nbdbdc32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Naipepdh.exePID: 7400, Parent PID: 7384

General

Target ID:	26
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Naipepdh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Naipepdh.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	B3290E1E908A171DF3EFE9142B1A7D4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001A.00000002.2002980502.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001A.00000003.1697552383.0000000000797000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001A.00000003.1697597168.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Naipepdh.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nnmpodcb.exePID: 7416, Parent PID: 7400

General

Target ID:	27
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Nnmpodcb.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nnmpodcb.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	BDB5BC4D6CFB1A2D93ABBE958681F615
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001B.00000002.2004365207.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001B.00000003.1698913597.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001B.00000003.1697850395.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nnmpodcb.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nlaqhh32.exePID: 7432, Parent PID: 7416

General

Target ID:	28
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Nlaqhh32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nlaqhh32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	EE8F87788EF191C005E39679D12A159B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001C.00000003.1699661136.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001C.00000002.2005187515.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001C.00000003.1699181347.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nlaqhh32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Njfmiegc.exePID: 7448, Parent PID: 7432

General

Target ID:	29
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Njfmiegc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Njfmiegc.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	82549D32B9E9F17AB1FFF87D5D49893C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001D.00000003.1701418557.0000000000625000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001D.00000003.1701115040.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001D.00000002.2007198128.000000000042B000.00000004.00000001.01000000.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Njfmiegc.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Oihnglob.exePID: 7464, Parent PID: 7448

General

Target ID:	30
Start time:	03:48:36
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Oihnglob.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Oihnglob.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	4D796F85EF73E2F666C65C8C7E7A7A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001E.00000003.1702063579.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001E.00000002.2008077984.000000000042B000.00000004.00000001.01000000.00000021.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001E.00000003.1702539267.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oihnglob.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Obbofa32.exePID: 7480, Parent PID: 7464

General

Target ID:	31
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Obbofa32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Obbofa32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	046CF0C6D652D63EF01DEA04915EEA1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001F.00000003.1703656412.0000000000707000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001F.00000002.2009121717.000000000042B000.00000004.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001F.00000003.1703055149.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Obbofa32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ooipkb32.exePID: 7496, Parent PID: 7480

General

Target ID:	32
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Ooipkb32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ooipkb32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	DFAC4E8D9942591C0ED22E230D6A03A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000020.00000003.1704430325.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000020.00000002.2010388848.000000000042B000.00000004.00000001.01000000.00000023.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000020.00000003.1703953725.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ooipkb32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Olmpdg32.exePID: 7512, Parent PID: 7496

General

Target ID:	33
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Olmpdg32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Olmpdg32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	8B926717C5CB2963272DB3B1996639FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000021.00000003.1705228208.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000021.00000003.1705639249.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000021.00000002.2011709914.000000000042B000.00000004.00000001.01000000.00000024.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Olmpdg32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Olpmjffk.exePID: 7532, Parent PID: 7512

General

Target ID:	34
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Olpmjffk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Olpmjffk.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E5A628E6A49213BA55FBC416E1248381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000022.00000002.2012897426.000000000042B000.00000004.00000001.01000000.00000025.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000022.00000003.1706530374.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000022.00000003.1707729803.0000000000567000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Olpmjffk.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Plbiofci.exePID: 7548, Parent PID: 7532

General

Target ID:	35
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Plbiofci.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Plbiofci.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	46E652A4455D1CDBCFAF72579A1D51DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000023.00000003.1707981977.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000023.00000002.2014944937.000000000042B000.00000004.00000001.01000000.00000026.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000023.00000003.1708810484.0000000000776000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plbiofci.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Pkgfpbhq.exePID: 7572, Parent PID: 7548

General

Target ID:	36
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Pkgfpbhq.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Pkgfpbhq.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	602D0C607533FBFB5C861134DB2AD084
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000024.00000003.1709294497.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000024.00000003.1710074051.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000024.00000002.2015659350.000000000042B000.00000004.00000001.01000000.00000027.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pkgfpbhq.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Poeofa32.exePID: 7588, Parent PID: 7572

General

Target ID:	37
Start time:	03:48:37
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Poeofa32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Poeofa32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	55763FED85DBD88A0F7A8C5303620C72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000025.00000002.2016019452.000000000042B000.00000004.00000001.01000000.00000028.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000025.00000003.1710369558.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000025.00000003.1710709203.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Poeofa32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Pklpkb32.exePID: 7604, Parent PID: 7588

General

Target ID:	38
Start time:	03:48:38
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Pklpkb32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Pklpkb32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	FD1402ECAB55A284004F6CEF8BAE66C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000026.00000002.2017111770.000000000042B000.00000004.00000001.01000000.00000029.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000026.00000003.1711570308.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pklpkb32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Peadik32.exePID: 7620, Parent PID: 7604

General

Target ID:	39
Start time:	03:48:38
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\Peadik32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Peadik32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	65FE7DE016AAB6B76E0376FA9C1F7C4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000027.00000002.2017857827.000000000042B000.00000004.00000001.01000000.0000002A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000027.00000003.1712420174.0000000000518000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000027.00000003.1712314991.0000000000539000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Peadik32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Xtks4KI16J.exePID: 1620, Parent PID: 2580COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

dnkk.dll, xrefs: 00407BA7
surf.dat, xrefs: 00407BD4
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kk32.dll, xrefs: 00407B41
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
KingKarton_10, xrefs: 00407968, 00407D9A
3, xrefs: 00407AB6
kk32.vxd, xrefs: 00407B74
frm2, xrefs: 00407E1F
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
2, xrefs: 00407ABD
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
%s\%s.exe, xrefs: 00407AD6
Software\Microsoft, xrefs: 00407E24
RegisterServiceProcess, xrefs: 00407DC8
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kernel32.dll, xrefs: 00407DBE

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
3, xrefs: 00404316
CLSID\%s\InProcServer32, xrefs: 004043B2
2, xrefs: 0040431D
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
%s\%s.dll, xrefs: 0040433C
Ikgcna32, xrefs: 00404377, 0040437C

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ikgcna32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1640367988
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00401219 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

X"O, xrefs: 00401253

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: X"O
API String ID: 0-3695164475
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

X"O, xrefs: 00401253

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: X"O
API String ID: 0-3695164475
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Non-executed Functions

Function 00403DC3 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

6D43, xrefs: 00403E7D

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: 6D43
API String ID: 0-2272120732
Opcode ID: 19db3b4267267466fcd2ddfd0aaf4f61854c112a4bab500ef29b6f437dc11b4e
Instruction ID: ed2a4a0673b3cbe0cf9f0d43336b25b0feef7a6fa073c905f4e98535d57dc397
Opcode Fuzzy Hash: 19db3b4267267466fcd2ddfd0aaf4f61854c112a4bab500ef29b6f437dc11b4e
Instruction Fuzzy Hash: 2B114F6EFCE0140AC72D9C316841B77D5BA9377392F29B53A5801F3381D238CC0A408C

Function 00403CB3 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

6D43, xrefs: 00403D0D

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: 6D43
API String ID: 0-2272120732
Opcode ID: 69aff3fb20dea2b5d0b0875ef9005b4f6692fdcb809862e38d2f1d45ddb599b4
Instruction ID: 8bc5c565821a255af50f7e8b1c1fbdbf9833591184a8614d18cd10e2c6dbc39d
Opcode Fuzzy Hash: 69aff3fb20dea2b5d0b0875ef9005b4f6692fdcb809862e38d2f1d45ddb599b4
Instruction Fuzzy Hash: 02F09218F8F104068A15CD702480A73D87CDB37722F25783A5493F3343DA68CD06400C

Function 0042FE60 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5917a807fe9f79a8ad8f60add19e7691669e3da150666c21ab5b47498eceec43
Instruction ID: bba94502e035a2c1726015cf11007dc52f0e2079413aab7de3fe2891338f73ae
Opcode Fuzzy Hash: 5917a807fe9f79a8ad8f60add19e7691669e3da150666c21ab5b47498eceec43
Instruction Fuzzy Hash: 8E115B05D8F2812B961D8E7119209B6D934CB63664F5A76AE89D3B7DB3C90CCE07820E

Function 00430000 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02a60af5935905757ce11fd3f33918ccea0c1643f54226588cc5bb0bcbba246
Instruction ID: b8c74d16b12613ff0b2de9c621f844e9e0c6d3a8e0a562b46e950c60364f6cd4
Opcode Fuzzy Hash: f02a60af5935905757ce11fd3f33918ccea0c1643f54226588cc5bb0bcbba246
Instruction Fuzzy Hash: A4F01A68E8F104475B198C703490B73D079EB3B765F25753A9892F3757D62CCD4A801C

Function 00403D50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dbce3df0654c81300a8afe9c276bb6b3e3c1a64ddc02ec2824a7a3afcc4c12
Instruction ID: 548ae9071117d7bbe8a43db882b87e4e8540575cb5e6b64c41217f31213c673e
Opcode Fuzzy Hash: 68dbce3df0654c81300a8afe9c276bb6b3e3c1a64ddc02ec2824a7a3afcc4c12
Instruction Fuzzy Hash: F9E0B636D8A2008BC7158E30D589A35FABCDB6B312F24F575C009B7266C3B8D906D51C

Function 0043009C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212b67b819fc9a44edcffd0b4f21754d8011465b34c18a55907af6b463c9c890
Instruction ID: 5e8952bb8762578c00d4313ed95a4e624bd5e1fb7b94a3025523f8c957bea420
Opcode Fuzzy Hash: 212b67b819fc9a44edcffd0b4f21754d8011465b34c18a55907af6b463c9c890
Instruction Fuzzy Hash: 31D08C3EECE01046C60C8C706D12536E0F88277375F3A327A4801FB262C024C806808C

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s /C %s, xrefs: 00407768
http://crutop.ru/index.htm, xrefs: 004074DF
http://cvv.ru/index.htm, xrefs: 0040749F
\command.com, xrefs: 00407737
http://kadet.ru/index.htm, xrefs: 00407485
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
wupd , xrefs: 0040778C
%s/Rtdx1%i.htm, xrefs: 00407857
:, xrefs: 00407661
%s\Rtdx1%i.dat, xrefs: 004077DC
/, xrefs: 0040781B
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\cmd.exe, xrefs: 004076F2
http://kavkaz.ru/index.htm, xrefs: 00407587
http://ldark.nm.ru/index.htm, xrefs: 00407415
2, xrefs: 00407601
%s\command.pif, xrefs: 00407726
http://parex-bank.ru/index.htm, xrefs: 00407553
http://konfiskat.org/index.htm, xrefs: 00407539
:, xrefs: 00407654
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://crutop.nu/index.htm, xrefs: 004074B9
:%02u, xrefs: 00407682
http://fethard.biz/index.htm, xrefs: 004075C1
http://xware.cjb.net/index.htm, xrefs: 00407513
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://promo.ru/index.htm, xrefs: 00407442
%s\cmd.pif, xrefs: 004076D6

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Please fill in the correct information to verify your identity., xrefs: 004068DB
Your card number, xrefs: 00406A71
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Security Measures, xrefs: 0040677A
Card && expiration date, xrefs: 00406A38
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Explorer, xrefs: 004066F4
BUTTON, xrefs: 00406C11
KingKarton, xrefs: 00406746
MasterCard, xrefs: 0040692D
DocObject, xrefs: 004066E5
Visa, xrefs: 0040693F
ATM PIN-Code, xrefs: 00406AE3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Full Name, xrefs: 004069F3
Click Once To Continue, xrefs: 00406C0C
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://asechka.ru/index.php, xrefs: 0040725A
ofs_kk, xrefs: 00407382
http://crutop.nu/index.php, xrefs: 004071E6
http://www.redline.ru/index.php, xrefs: 0040730D
http://fethard.biz/index.php, xrefs: 00407352
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://crutop.ru/index.php, xrefs: 0040720F
http://color-bank.ru/index.php, xrefs: 00407243
http://cvv.ru/index.php, xrefs: 00407324
http://goldensand.ru/index.php, xrefs: 004072A5
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://devx.nm.ru/index.php, xrefs: 004072D3
http://filesearch.ru/index.php, xrefs: 004072BC
http://fuck.ru/index.php, xrefs: 00407288
http://mazafaka.ru/index.php, xrefs: 00407226
http://trojan.ru/index.php, xrefs: 00407271
http://hackers.lv/index.php, xrefs: 0040733B
vvpupkin, xrefs: 00407367
crutop, xrefs: 0040736C

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Please make corrections and try again., xrefs: 00406FDF
Your card number, xrefs: 00406EF5
Card && expiration date, xrefs: 00406EB6
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
EDIT, xrefs: 0040701A, 00407050, 0040708C
Explorer, xrefs: 00406C58
BUTTON, xrefs: 004070C8
KingKarton, xrefs: 00406CBB
MasterCard, xrefs: 00406DB8
DocObject, xrefs: 00406C49
Visa, xrefs: 00406DCF
ATM PIN-Code, xrefs: 00406F67
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Authorization Failed., xrefs: 00406CEF

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
</body><html>, xrefs: 00405ED6
</script>, xrefs: 00405E55
%sself.parent.location="%s";, xrefs: 00405D7B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
function x(), xrefs: 00405CF7
</head>, xrefs: 00405C1F
MicroSoft-Corp, xrefs: 00405BD3
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
<body>, xrefs: 00405C59
<html>, xrefs: 00405ABA
<script>, xrefs: 00405CAE
<head>, xrefs: 00405B5B

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
IEFrame, xrefs: 0040615D
\Iexplore.exe , xrefs: 00406048
D, xrefs: 0040609F
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
Path, xrefs: 0040557E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
\Iexplore.exe , xrefs: 0040561A
MicroSoft-Corp, xrefs: 00405700

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
GlobalUserOffline, xrefs: 00405413
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000000.00000002.1972326363.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1972311898.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972379509.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972395483.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972407539.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972418569.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1972430486.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Ikgcna32.exePID: 5228, Parent PID: 1620COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
2, xrefs: 00407ABD
kernel32.dll, xrefs: 00407DBE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
%s\%s.exe, xrefs: 00407AD6
KingKarton_10, xrefs: 00407968, 00407D9A
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
RegisterServiceProcess, xrefs: 00407DC8
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
dnkk.dll, xrefs: 00407BA7
kk32.vxd, xrefs: 00407B74
surf.dat, xrefs: 00407BD4
3, xrefs: 00407AB6
Software\Microsoft, xrefs: 00407E24
kk32.dll, xrefs: 00407B41

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

3, xrefs: 00404316
Idogffko, xrefs: 00404377, 0040437C
Web Event Logger, xrefs: 00404408
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1
Apartment, xrefs: 004043EC
%s\%s.dll, xrefs: 0040433C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Idogffko$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2300694092
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

SnqO, xrefs: 004040AB, 0040411B, 0040417A, 004041DC

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: SnqO
API String ID: 0-1794280908
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://kavkaz.ru/index.htm, xrefs: 00407587
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.nu/index.htm, xrefs: 004074B9
http://ldark.nm.ru/index.htm, xrefs: 004075A7
/, xrefs: 0040781B
%s/Rtdx1%i.htm, xrefs: 00407857
http://cvv.ru/index.htm, xrefs: 0040749F
http://xware.cjb.net/index.htm, xrefs: 00407513
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://mazafaka.ru/index.htm, xrefs: 004074F9
wupd , xrefs: 0040778C
:%02u, xrefs: 00407682
http://konfiskat.org/index.htm, xrefs: 00407539
%s /C %s, xrefs: 00407768
\command.com, xrefs: 00407737
http://parex-bank.ru/index.htm, xrefs: 00407553
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
%s\cmd.pif, xrefs: 004076D6
%s\cmd.exe, xrefs: 004076F2
%s\command.pif, xrefs: 00407726
http://fethard.biz/index.htm, xrefs: 004075C1
:, xrefs: 00407661
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://crutop.ru/index.htm, xrefs: 004074DF
:, xrefs: 00407654
2, xrefs: 00407601
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://promo.ru/index.htm, xrefs: 00407442
%s\Rtdx1%i.dat, xrefs: 004077DC

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Card && expiration date, xrefs: 00406A38
ATM PIN-Code, xrefs: 00406AE3
DocObject, xrefs: 004066E5
BUTTON, xrefs: 00406C11
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Your card number, xrefs: 00406A71
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Full Name, xrefs: 004069F3
KingKarton, xrefs: 00406746
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Please fill in the correct information to verify your identity., xrefs: 004068DB
Security Measures, xrefs: 0040677A
MasterCard, xrefs: 0040692D
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Explorer, xrefs: 004066F4
Click Once To Continue, xrefs: 00406C0C
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Visa, xrefs: 0040693F

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

ofs_kk, xrefs: 00407382
http://asechka.ru/index.php, xrefs: 0040725A
http://trojan.ru/index.php, xrefs: 00407271
http://goldensand.ru/index.php, xrefs: 004072A5
http://filesearch.ru/index.php, xrefs: 004072BC
http://cvv.ru/index.php, xrefs: 00407324
http://devx.nm.ru/index.php, xrefs: 004072D3
vvpupkin, xrefs: 00407367
http://mazafaka.ru/index.php, xrefs: 00407226
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.ru/index.php, xrefs: 0040720F
http://fuck.ru/index.php, xrefs: 00407288
http://www.redline.ru/index.php, xrefs: 0040730D
http://color-bank.ru/index.php, xrefs: 00407243
http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://crutop.nu/index.php, xrefs: 004071E6
http://hackers.lv/index.php, xrefs: 0040733B

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406EB6
ATM PIN-Code, xrefs: 00406F67
Authorization Failed., xrefs: 00406CEF
DocObject, xrefs: 00406C49
BUTTON, xrefs: 004070C8
Please make corrections and try again., xrefs: 00406FDF
Your card number, xrefs: 00406EF5
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
KingKarton, xrefs: 00406CBB
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Explorer, xrefs: 00406C58
Click Once To Continue, xrefs: 004070C3
EDIT, xrefs: 0040701A, 00407050, 0040708C
Visa, xrefs: 00406DCF

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%s<title>%s%u</title>, xrefs: 00405BDF
</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
</head>, xrefs: 00405C1F
<head>, xrefs: 00405B5B
.htm, xrefs: 00405A9A
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<body>, xrefs: 00405C59
function x(), xrefs: 00405CF7
</script>, xrefs: 00405E55
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
\Iexplore.exe , xrefs: 0040561A
IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

GlobalUserOffline, xrefs: 00405413
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
yes, xrefs: 00405427

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000001.00000002.1973417535.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1973366568.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973430337.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973446254.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973497611.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973509404.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1973520557.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Idogffko.exePID: 4484, Parent PID: 5228COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

2, xrefs: 00407ABD
kk32.dll, xrefs: 00407B41
surf.dat, xrefs: 00407BD4
3, xrefs: 00407AB6
frm2, xrefs: 00407E1F
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kernel32.dll, xrefs: 00407DBE
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
RegisterServiceProcess, xrefs: 00407DC8
%s\%s.exe, xrefs: 00407AD6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
dnkk.dll, xrefs: 00407BA7
KingKarton_10, xrefs: 00407968, 00407D9A

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

CLSID\%s\InProcServer32, xrefs: 004043B2
2, xrefs: 0040431D
Web Event Logger, xrefs: 00404408
%s\%s.dll, xrefs: 0040433C
Ipfhkgac, xrefs: 00404377, 0040437C
Apartment, xrefs: 004043EC
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ipfhkgac$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1770424181
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

/, xrefs: 0040781B
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407654
\command.com, xrefs: 00407737
%s/Rtdx1%i.htm, xrefs: 00407857
http://crutop.nu/index.htm, xrefs: 004074B9
%s /C %s, xrefs: 00407768
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
2, xrefs: 00407601
http://promo.ru/index.htm, xrefs: 00407442
http://kadet.ru/index.htm, xrefs: 00407485
http://kavkaz.ru/index.htm, xrefs: 00407587
wupd , xrefs: 0040778C
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
:, xrefs: 00407661
http://parex-bank.ru/index.htm, xrefs: 00407553
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://cvv.ru/index.htm, xrefs: 0040749F
%s\command.pif, xrefs: 00407726
%s\Rtdx1%i.dat, xrefs: 004077DC
http://crutop.ru/index.htm, xrefs: 004074DF
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://konfiskat.org/index.htm, xrefs: 00407539
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\cmd.pif, xrefs: 004076D6
http://fethard.biz/index.htm, xrefs: 004075C1
:%02u, xrefs: 00407682

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Click Once To Continue, xrefs: 00406C0C
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D
Please fill in the correct information to verify your identity., xrefs: 004068DB
Visa, xrefs: 0040693F
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
DocObject, xrefs: 004066E5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Your card number, xrefs: 00406A71
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
ATM PIN-Code, xrefs: 00406AE3
Explorer, xrefs: 004066F4
Security Measures, xrefs: 0040677A
BUTTON, xrefs: 00406C11
KingKarton, xrefs: 00406746
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://cvv.ru/index.php, xrefs: 00407324
http://crutop.nu/index.php, xrefs: 004071E6
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://hackers.lv/index.php, xrefs: 0040733B
http://color-bank.ru/index.php, xrefs: 00407243
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://mazafaka.ru/index.php, xrefs: 00407226
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.ru/index.php, xrefs: 0040720F
http://devx.nm.ru/index.php, xrefs: 004072D3
http://goldensand.ru/index.php, xrefs: 004072A5
vvpupkin, xrefs: 00407367
ofs_kk, xrefs: 00407382
http://filesearch.ru/index.php, xrefs: 004072BC
http://trojan.ru/index.php, xrefs: 00407271
http://fuck.ru/index.php, xrefs: 00407288
http://asechka.ru/index.php, xrefs: 0040725A

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
Please make corrections and try again., xrefs: 00406FDF
MasterCard, xrefs: 00406DB8
Visa, xrefs: 00406DCF
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
DocObject, xrefs: 00406C49
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
EDIT, xrefs: 0040701A, 00407050, 0040708C
Your card number, xrefs: 00406EF5
ATM PIN-Code, xrefs: 00406F67
Explorer, xrefs: 00406C58
BUTTON, xrefs: 004070C8
KingKarton, xrefs: 00406CBB
Card && expiration date, xrefs: 00406EB6
Authorization Failed., xrefs: 00406CEF

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
<head>, xrefs: 00405B5B
<body>, xrefs: 00405C59
</body><html>, xrefs: 00405ED6
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
function x(), xrefs: 00405CF7
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00406128
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
IEFrame, xrefs: 0040615D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
X-okRecv11, xrefs: 004061B4
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00405700
Path, xrefs: 0040557E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000002.00000002.1974169125.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1974150593.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974232276.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974262393.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974278289.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974334051.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1974358423.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Ipfhkgac.exePID: 3300, Parent PID: 4484COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

surf.dat, xrefs: 00407BD4
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kernel32.dll, xrefs: 00407DBE
dnkk.dll, xrefs: 00407BA7
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
Software\Microsoft, xrefs: 00407E24
RegisterServiceProcess, xrefs: 00407DC8
kk32.dll, xrefs: 00407B41
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
%s\%s.exe, xrefs: 00407AD6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
3, xrefs: 00407AB6
2, xrefs: 00407ABD
kk32.vxd, xrefs: 00407B74
KingKarton_10, xrefs: 00407968, 00407D9A

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316
Ikklipqi, xrefs: 00404377, 0040437C
2, xrefs: 0040431D
CLSID\%s\InProcServer32, xrefs: 004043B2
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
%s\%s.dll, xrefs: 0040433C

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ikklipqi$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2368692039
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://parex-bank.ru/index.htm, xrefs: 00407553
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s /C %s, xrefs: 00407768
:%02u, xrefs: 00407682
2, xrefs: 00407601
wupd , xrefs: 0040778C
http://kidos-bank.ru/index.htm, xrefs: 0040756D
%s\command.pif, xrefs: 00407726
%s\cmd.pif, xrefs: 004076D6
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.nu/index.htm, xrefs: 004074B9
http://konfiskat.org/index.htm, xrefs: 00407539
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s\cmd.exe, xrefs: 004076F2
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
:, xrefs: 00407661
/, xrefs: 0040781B
http://cvv.ru/index.htm, xrefs: 0040749F
http://ldark.nm.ru/index.htm, xrefs: 00407415
\command.com, xrefs: 00407737
http://fethard.biz/index.htm, xrefs: 004075C1
http://kavkaz.ru/index.htm, xrefs: 00407587
http://promo.ru/index.htm, xrefs: 00407442
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://xware.cjb.net/index.htm, xrefs: 00407513
http://crutop.ru/index.htm, xrefs: 004074DF
:, xrefs: 00407654
%s\Rtdx1%i.dat, xrefs: 004077DC
%s/Rtdx1%i.htm, xrefs: 00407857

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
Visa, xrefs: 0040693F
Full Name, xrefs: 004069F3
Please fill in the correct information to verify your identity., xrefs: 004068DB
Explorer, xrefs: 004066F4
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Your card number, xrefs: 00406A71
MasterCard, xrefs: 0040692D
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
KingKarton, xrefs: 00406746
ATM PIN-Code, xrefs: 00406AE3
BUTTON, xrefs: 00406C11
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Click Once To Continue, xrefs: 00406C0C
Security Measures, xrefs: 0040677A

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://crutop.ru/index.php, xrefs: 0040720F
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://hackers.lv/index.php, xrefs: 0040733B
http://devx.nm.ru/index.php, xrefs: 004072D3
http://filesearch.ru/index.php, xrefs: 004072BC
http://color-bank.ru/index.php, xrefs: 00407243
ofs_kk, xrefs: 00407382
http://mazafaka.ru/index.php, xrefs: 00407226
http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://fuck.ru/index.php, xrefs: 00407288
http://cvv.ru/index.php, xrefs: 00407324
http://crutop.nu/index.php, xrefs: 004071E6
http://trojan.ru/index.php, xrefs: 00407271
http://asechka.ru/index.php, xrefs: 0040725A
http://goldensand.ru/index.php, xrefs: 004072A5
http://www.redline.ru/index.php, xrefs: 0040730D
http://lovingod.host.sk/index.php, xrefs: 004072EA

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
DocObject, xrefs: 00406C49
Card && expiration date, xrefs: 00406EB6
Visa, xrefs: 00406DCF
Explorer, xrefs: 00406C58
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Your card number, xrefs: 00406EF5
MasterCard, xrefs: 00406DB8
EDIT, xrefs: 0040701A, 00407050, 0040708C
KingKarton, xrefs: 00406CBB
ATM PIN-Code, xrefs: 00406F67
BUTTON, xrefs: 004070C8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
Authorization Failed., xrefs: 00406CEF

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<body>, xrefs: 00405C59
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
function x(), xrefs: 00405CF7
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<head>, xrefs: 00405B5B
.htm, xrefs: 00405A9A
%sself.parent.location="%s";, xrefs: 00405D7B
<script>, xrefs: 00405CAE
MicroSoft-Corp, xrefs: 00405BD3
%s<title>%s%u</title>, xrefs: 00405BDF
</body><html>, xrefs: 00405ED6
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
Path, xrefs: 00405FED

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
yes, xrefs: 00405427
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
RtlInitUnicodeString, xrefs: 00402AAC
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000003.00000002.1974892317.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1974877275.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974907016.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974924265.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974935551.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974977792.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1974991958.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Ikklipqi.exePID: 5824, Parent PID: 3300COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
%s\%s.exe, xrefs: 00407AD6
kernel32.dll, xrefs: 00407DBE
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kk32.vxd, xrefs: 00407B74
2, xrefs: 00407ABD
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
RegisterServiceProcess, xrefs: 00407DC8
surf.dat, xrefs: 00407BD4
kk32.dll, xrefs: 00407B41
KingKarton_10, xrefs: 00407968, 00407D9A
frm2, xrefs: 00407E1F
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
dnkk.dll, xrefs: 00407BA7
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Software\Microsoft, xrefs: 00407E24
3, xrefs: 00407AB6

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Apartment, xrefs: 004043EC
CLSID\%s\InProcServer32, xrefs: 004043B2
Web Event Logger, xrefs: 00404408
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
2, xrefs: 0040431D
%s\%s.dll, xrefs: 0040433C
3, xrefs: 00404316
Jddqaf32, xrefs: 00404377, 0040437C

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jddqaf32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-451387459
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

:, xrefs: 00407654
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s\command.pif, xrefs: 00407726
:%02u, xrefs: 00407682
http://promo.ru/index.htm, xrefs: 00407442
%s\cmd.pif, xrefs: 004076D6
http://xware.cjb.net/index.htm, xrefs: 00407513
2, xrefs: 00407601
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\cmd.exe, xrefs: 004076F2
http://parex-bank.ru/index.htm, xrefs: 00407553
http://konfiskat.org/index.htm, xrefs: 00407539
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
%s\Rtdx1%i.dat, xrefs: 004077DC
:, xrefs: 00407661
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.ru/index.htm, xrefs: 004074DF
/, xrefs: 0040781B
%s /C %s, xrefs: 00407768
http://cvv.ru/index.htm, xrefs: 0040749F
\command.com, xrefs: 00407737
%s/Rtdx1%i.htm, xrefs: 00407857
wupd , xrefs: 0040778C
http://kavkaz.ru/index.htm, xrefs: 00407587
http://crutop.nu/index.htm, xrefs: 004074B9
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://fethard.biz/index.htm, xrefs: 004075C1

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406AAA
ATM PIN-Code, xrefs: 00406AE3
Full Name, xrefs: 004069F3
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Click Once To Continue, xrefs: 00406C0C
Security Measures, xrefs: 0040677A
Please fill in the correct information to verify your identity., xrefs: 004068DB
Visa, xrefs: 0040693F
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Explorer, xrefs: 004066F4
Your card number, xrefs: 00406A71
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
MasterCard, xrefs: 0040692D
BUTTON, xrefs: 00406C11
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
KingKarton, xrefs: 00406746

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

vvpupkin, xrefs: 00407367
http://mazafaka.ru/index.php, xrefs: 00407226
http://crutop.nu/index.php, xrefs: 004071E6
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://cvv.ru/index.php, xrefs: 00407324
http://trojan.ru/index.php, xrefs: 00407271
ofs_kk, xrefs: 00407382
crutop, xrefs: 0040736C
http://hackers.lv/index.php, xrefs: 0040733B
http://color-bank.ru/index.php, xrefs: 00407243
http://devx.nm.ru/index.php, xrefs: 004072D3
http://fuck.ru/index.php, xrefs: 00407288
http://www.redline.ru/index.php, xrefs: 0040730D
http://asechka.ru/index.php, xrefs: 0040725A
http://goldensand.ru/index.php, xrefs: 004072A5
http://filesearch.ru/index.php, xrefs: 004072BC
http://fethard.biz/index.php, xrefs: 00407352
http://crutop.ru/index.php, xrefs: 0040720F

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406F2E
ATM PIN-Code, xrefs: 00406F67
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
DocObject, xrefs: 00406C49
Card && expiration date, xrefs: 00406EB6
Click Once To Continue, xrefs: 004070C3
Please make corrections and try again., xrefs: 00406FDF
Visa, xrefs: 00406DCF
EDIT, xrefs: 0040701A, 00407050, 0040708C
Authorization Failed., xrefs: 00406CEF
Explorer, xrefs: 00406C58
Your card number, xrefs: 00406EF5
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
MasterCard, xrefs: 00406DB8
BUTTON, xrefs: 004070C8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
KingKarton, xrefs: 00406CBB

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</script>, xrefs: 00405E55
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
<html>, xrefs: 00405ABA
%sself.parent.location="%s";, xrefs: 00405D7B
</head>, xrefs: 00405C1F
%s<title>%s%u</title>, xrefs: 00405BDF
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
MicroSoft-Corp, xrefs: 00405BD3
<body>, xrefs: 00405C59

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040609F
Path, xrefs: 00405FED
IEFrame, xrefs: 0040615D
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
X-okRecv11, xrefs: 004061B4
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
MicroSoft-Corp, xrefs: 00406128
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
IEFrame, xrefs: 0040572F
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
GlobalUserOffline, xrefs: 00405413
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 00000004.00000002.1975435211.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1975424078.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975447557.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975462748.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975473999.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975484977.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1975497378.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jddqaf32.exePID: 4564, Parent PID: 5824COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

frm2, xrefs: 00407E1F
%s\%s.exe, xrefs: 00407AD6
dnkk.dll, xrefs: 00407BA7
RegisterServiceProcess, xrefs: 00407DC8
2, xrefs: 00407ABD
surf.dat, xrefs: 00407BD4
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
Software\Microsoft, xrefs: 00407E24
kernel32.dll, xrefs: 00407DBE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.dll, xrefs: 00407B41
3, xrefs: 00407AB6
kk32.vxd, xrefs: 00407B74
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
%s\%s.dll, xrefs: 0040433C
Jjqijmeq, xrefs: 00404377, 0040437C
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jjqijmeq$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2344122490
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.htm, xrefs: 004074F9
http://kadet.ru/index.htm, xrefs: 00407485
/, xrefs: 0040781B
%s\cmd.pif, xrefs: 004076D6
:%02u, xrefs: 00407682
%s\cmd.exe, xrefs: 004076F2
http://crutop.ru/index.htm, xrefs: 004074DF
http://crutop.nu/index.htm, xrefs: 004074B9
%s\command.pif, xrefs: 00407726
http://ldark.nm.ru/index.htm, xrefs: 00407415
\command.com, xrefs: 00407737
%s\Rtdx1%i.dat, xrefs: 004077DC
%s /C %s, xrefs: 00407768
:, xrefs: 00407654
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
wupd , xrefs: 0040778C
http://promo.ru/index.htm, xrefs: 00407442
http://xware.cjb.net/index.htm, xrefs: 00407513
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://konfiskat.org/index.htm, xrefs: 00407539
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
:, xrefs: 00407661
http://parex-bank.ru/index.htm, xrefs: 00407553
2, xrefs: 00407601
http://fethard.biz/index.htm, xrefs: 004075C1
http://cvv.ru/index.htm, xrefs: 0040749F
%s/Rtdx1%i.htm, xrefs: 00407857
http://kavkaz.ru/index.htm, xrefs: 00407587

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Please fill in the correct information to verify your identity., xrefs: 004068DB
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Click Once To Continue, xrefs: 00406C0C
Your card number, xrefs: 00406A71
Full Name, xrefs: 004069F3
BUTTON, xrefs: 00406C11
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Visa, xrefs: 0040693F
ATM PIN-Code, xrefs: 00406AE3
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Security Measures, xrefs: 0040677A
Explorer, xrefs: 004066F4
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.php, xrefs: 00407226
http://devx.nm.ru/index.php, xrefs: 004072D3
http://asechka.ru/index.php, xrefs: 0040725A
http://trojan.ru/index.php, xrefs: 00407271
http://filesearch.ru/index.php, xrefs: 004072BC
ofs_kk, xrefs: 00407382
http://cvv.ru/index.php, xrefs: 00407324
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://hackers.lv/index.php, xrefs: 0040733B
http://crutop.ru/index.php, xrefs: 0040720F
http://color-bank.ru/index.php, xrefs: 00407243
crutop, xrefs: 0040736C
http://fethard.biz/index.php, xrefs: 00407352
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.nu/index.php, xrefs: 004071E6
http://goldensand.ru/index.php, xrefs: 004072A5
vvpupkin, xrefs: 00407367
http://fuck.ru/index.php, xrefs: 00407288

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Authorization Failed., xrefs: 00406CEF
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
Your card number, xrefs: 00406EF5
BUTTON, xrefs: 004070C8
EDIT, xrefs: 0040701A, 00407050, 0040708C
Visa, xrefs: 00406DCF
ATM PIN-Code, xrefs: 00406F67
Please make corrections and try again., xrefs: 00406FDF
Explorer, xrefs: 00406C58
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
Card && expiration date, xrefs: 00406EB6
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<head>, xrefs: 00405B5B
</script>, xrefs: 00405E55
MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
%s<title>%s%u</title>, xrefs: 00405BDF
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<html>, xrefs: 00405ABA
.htm, xrefs: 00405A9A
<script>, xrefs: 00405CAE
<body>, xrefs: 00405C59
function x(), xrefs: 00405CF7
</body><html>, xrefs: 00405ED6
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%sself.parent.location="%s";, xrefs: 00405D7B

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128
\Iexplore.exe , xrefs: 00406048
Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
X-okRecv11, xrefs: 004061B4
IEFrame, xrefs: 0040615D

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
MicroSoft-Corp, xrefs: 00405700
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
GlobalUserOffline, xrefs: 00405413
yes, xrefs: 00405427
1601, xrefs: 004053ED
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 00000005.00000002.1976366251.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1976354615.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976379122.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976394720.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976408033.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976419684.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1976694378.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jjqijmeq.exePID: 3632, Parent PID: 4564COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
2, xrefs: 00407ABD
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
RegisterServiceProcess, xrefs: 00407DC8
dnkk.dll, xrefs: 00407BA7
kernel32.dll, xrefs: 00407DBE
frm2, xrefs: 00407E1F
%s\%s.exe, xrefs: 00407AD6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
3, xrefs: 00407AB6
surf.dat, xrefs: 00407BD4
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
kk32.dll, xrefs: 00407B41
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
Software\Microsoft, xrefs: 00407E24

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

CLSID\%s\InProcServer32, xrefs: 004043B2
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
Apartment, xrefs: 004043EC
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Jgdjcadj, xrefs: 00404377, 0040437C
Web Event Logger, xrefs: 00404408

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jgdjcadj$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3679134565
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

.4Pv, xrefs: 004040AB, 0040411B, 0040417A, 004041DC

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .4Pv
API String ID: 0-1092010752
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

wupd , xrefs: 0040778C
http://kidos-bank.ru/index.htm, xrefs: 0040756D
%s/Rtdx1%i.htm, xrefs: 00407857
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407654
%s\cmd.pif, xrefs: 004076D6
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://promo.ru/index.htm, xrefs: 00407442
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
2, xrefs: 00407601
http://konfiskat.org/index.htm, xrefs: 00407539
%s\Rtdx1%i.dat, xrefs: 004077DC
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://kadet.ru/index.htm, xrefs: 00407485
http://xware.cjb.net/index.htm, xrefs: 00407513
http://crutop.ru/index.htm, xrefs: 004074DF
/, xrefs: 0040781B
http://crutop.nu/index.htm, xrefs: 004074B9
\command.com, xrefs: 00407737
http://fethard.biz/index.htm, xrefs: 004075C1
%s /C %s, xrefs: 00407768
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407661
%s\command.pif, xrefs: 00407726
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://cvv.ru/index.htm, xrefs: 0040749F
:%02u, xrefs: 00407682
http://parex-bank.ru/index.htm, xrefs: 00407553

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Security Measures, xrefs: 0040677A
KingKarton, xrefs: 00406746
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Click Once To Continue, xrefs: 00406C0C
Please fill in the correct information to verify your identity., xrefs: 004068DB
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Visa, xrefs: 0040693F
DocObject, xrefs: 004066E5
Your card number, xrefs: 00406A71
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
Explorer, xrefs: 004066F4
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Card && expiration date, xrefs: 00406A38
MasterCard, xrefs: 0040692D
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
ATM PIN-Code, xrefs: 00406AE3

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://crutop.ru/index.php, xrefs: 0040720F
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://cvv.ru/index.php, xrefs: 00407324
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://goldensand.ru/index.php, xrefs: 004072A5
http://asechka.ru/index.php, xrefs: 0040725A
ofs_kk, xrefs: 00407382
http://mazafaka.ru/index.php, xrefs: 00407226
http://www.redline.ru/index.php, xrefs: 0040730D
http://fethard.biz/index.php, xrefs: 00407352
vvpupkin, xrefs: 00407367
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://hackers.lv/index.php, xrefs: 0040733B
crutop, xrefs: 0040736C
http://devx.nm.ru/index.php, xrefs: 004072D3
http://trojan.ru/index.php, xrefs: 00407271
http://fuck.ru/index.php, xrefs: 00407288
http://crutop.nu/index.php, xrefs: 004071E6

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406CBB
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
EDIT, xrefs: 0040701A, 00407050, 0040708C
Visa, xrefs: 00406DCF
DocObject, xrefs: 00406C49
Your card number, xrefs: 00406EF5
Please make corrections and try again., xrefs: 00406FDF
BUTTON, xrefs: 004070C8
Authorization Failed., xrefs: 00406CEF
Explorer, xrefs: 00406C58
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Card && expiration date, xrefs: 00406EB6
MasterCard, xrefs: 00406DB8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
ATM PIN-Code, xrefs: 00406F67

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%ssetTimeout("x()",%u);, xrefs: 00405E1B
MicroSoft-Corp, xrefs: 00405BD3
<body>, xrefs: 00405C59
%sself.parent.location="%s";, xrefs: 00405D7B
function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
<script>, xrefs: 00405CAE
.htm, xrefs: 00405A9A
</head>, xrefs: 00405C1F
%s<title>%s%u</title>, xrefs: 00405BDF
</script>, xrefs: 00405E55
</body><html>, xrefs: 00405ED6
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128
D, xrefs: 0040609F
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
\Iexplore.exe , xrefs: 00406048
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
MicroSoft-Corp, xrefs: 00405700
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000006.00000002.1977199811.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1977186462.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977212740.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977229569.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977240856.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977252647.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.1977303268.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jgdjcadj.exePID: 2596, Parent PID: 3632COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

2, xrefs: 00407ABD
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
dnkk.dll, xrefs: 00407BA7
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
Software\Microsoft, xrefs: 00407E24
kk32.dll, xrefs: 00407B41
surf.dat, xrefs: 00407BD4
RegisterServiceProcess, xrefs: 00407DC8
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
frm2, xrefs: 00407E1F
3, xrefs: 00407AB6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s.exe, xrefs: 00407AD6
KingKarton_10, xrefs: 00407968, 00407D9A
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kernel32.dll, xrefs: 00407DBE

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
Jqmnlf32, xrefs: 00404377, 0040437C
Apartment, xrefs: 004043EC
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316
ThreadingModel, xrefs: 004043F1

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jqmnlf32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1645147580
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 00407415
/, xrefs: 0040781B
%s\cmd.exe, xrefs: 004076F2
http://parex-bank.ru/index.htm, xrefs: 00407553
http://kadet.ru/index.htm, xrefs: 00407485
:, xrefs: 00407654
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s /C %s, xrefs: 00407768
%s\Rtdx1%i.dat, xrefs: 004077DC
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\cmd.pif, xrefs: 004076D6
%s\command.pif, xrefs: 00407726
\command.com, xrefs: 00407737
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://crutop.ru/index.htm, xrefs: 004074DF
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://kavkaz.ru/index.htm, xrefs: 00407587
:%02u, xrefs: 00407682
:, xrefs: 00407661
http://fethard.biz/index.htm, xrefs: 004075C1
http://promo.ru/index.htm, xrefs: 00407442
wupd , xrefs: 0040778C
%s/Rtdx1%i.htm, xrefs: 00407857
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://crutop.nu/index.htm, xrefs: 004074B9
http://cvv.ru/index.htm, xrefs: 0040749F
http://konfiskat.org/index.htm, xrefs: 00407539
2, xrefs: 00407601

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Your card number, xrefs: 00406A71
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Please fill in the correct information to verify your identity., xrefs: 004068DB
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Card && expiration date, xrefs: 00406A38
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Click Once To Continue, xrefs: 00406C0C
MasterCard, xrefs: 0040692D
Full Name, xrefs: 004069F3
Visa, xrefs: 0040693F
BUTTON, xrefs: 00406C11
DocObject, xrefs: 004066E5
KingKarton, xrefs: 00406746
Explorer, xrefs: 004066F4
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Security Measures, xrefs: 0040677A
ATM PIN-Code, xrefs: 00406AE3

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

crutop, xrefs: 0040736C
http://asechka.ru/index.php, xrefs: 0040725A
http://fuck.ru/index.php, xrefs: 00407288
http://goldensand.ru/index.php, xrefs: 004072A5
http://fethard.biz/index.php, xrefs: 00407352
http://www.redline.ru/index.php, xrefs: 0040730D
http://color-bank.ru/index.php, xrefs: 00407243
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382
http://crutop.ru/index.php, xrefs: 0040720F
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://trojan.ru/index.php, xrefs: 00407271
http://hackers.lv/index.php, xrefs: 0040733B
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://filesearch.ru/index.php, xrefs: 004072BC
http://mazafaka.ru/index.php, xrefs: 00407226
http://crutop.nu/index.php, xrefs: 004071E6
http://cvv.ru/index.php, xrefs: 00407324

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Your card number, xrefs: 00406EF5
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Card && expiration date, xrefs: 00406EB6
Click Once To Continue, xrefs: 004070C3
MasterCard, xrefs: 00406DB8
Visa, xrefs: 00406DCF
BUTTON, xrefs: 004070C8
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
DocObject, xrefs: 00406C49
KingKarton, xrefs: 00406CBB
Explorer, xrefs: 00406C58
EDIT, xrefs: 0040701A, 00407050, 0040708C
Please make corrections and try again., xrefs: 00406FDF
Authorization Failed., xrefs: 00406CEF
ATM PIN-Code, xrefs: 00406F67

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<body>, xrefs: 00405C59
<html>, xrefs: 00405ABA
</script>, xrefs: 00405E55
<head>, xrefs: 00405B5B
function x(), xrefs: 00405CF7
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
.htm, xrefs: 00405A9A
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
</body><html>, xrefs: 00405ED6
%s<title>%s%u</title>, xrefs: 00405BDF
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</head>, xrefs: 00405C1F

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 004061B4
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
D, xrefs: 0040609F
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 0040578F
Path, xrefs: 0040557E
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
RtlNtStatusToDosError, xrefs: 00402AF8
NtMapViewOfSection, xrefs: 00402AE8

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 00000007.00000002.1977931116.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1977919188.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977943984.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977959517.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1977970898.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978023045.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1978034709.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jqmnlf32.exePID: 6748, Parent PID: 2596COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

3, xrefs: 00407AB6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.vxd, xrefs: 00407B74
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
2, xrefs: 00407ABD
Software\Microsoft, xrefs: 00407E24
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
dnkk.dll, xrefs: 00407BA7
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
%s\%s.exe, xrefs: 00407AD6
surf.dat, xrefs: 00407BD4
RegisterServiceProcess, xrefs: 00407DC8
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
kernel32.dll, xrefs: 00407DBE
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Jkbbioja, xrefs: 00404377, 0040437C
Apartment, xrefs: 004043EC
3, xrefs: 00404316
2, xrefs: 0040431D
Web Event Logger, xrefs: 00404408
ThreadingModel, xrefs: 004043F1
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jkbbioja$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2749597900
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

\command.com, xrefs: 00407737
http://promo.ru/index.htm, xrefs: 00407442
%s\cmd.exe, xrefs: 004076F2
http://crutop.nu/index.htm, xrefs: 004074B9
http://crutop.ru/index.htm, xrefs: 004074DF
wupd , xrefs: 0040778C
%s\Rtdx1%i.dat, xrefs: 004077DC
%s /C %s, xrefs: 00407768
:, xrefs: 00407661
:%02u, xrefs: 00407682
http://konfiskat.org/index.htm, xrefs: 00407539
http://parex-bank.ru/index.htm, xrefs: 00407553
http://ldark.nm.ru/index.htm, xrefs: 00407415
/, xrefs: 0040781B
http://cvv.ru/index.htm, xrefs: 0040749F
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s\cmd.pif, xrefs: 004076D6
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\command.pif, xrefs: 00407726
2, xrefs: 00407601
http://fethard.biz/index.htm, xrefs: 004075C1
%s/Rtdx1%i.htm, xrefs: 00407857
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407654
http://kadet.ru/index.htm, xrefs: 00407485
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Full Name, xrefs: 004069F3
Security Measures, xrefs: 0040677A
Explorer, xrefs: 004066F4
Visa, xrefs: 0040693F
MasterCard, xrefs: 0040692D
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
Your card number, xrefs: 00406A71
ATM PIN-Code, xrefs: 00406AE3
Click Once To Continue, xrefs: 00406C0C
Please fill in the correct information to verify your identity., xrefs: 004068DB
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
BUTTON, xrefs: 00406C11
KingKarton, xrefs: 00406746

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://trojan.ru/index.php, xrefs: 00407271
http://crutop.nu/index.php, xrefs: 004071E6
http://filesearch.ru/index.php, xrefs: 004072BC
http://fethard.biz/index.php, xrefs: 00407352
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://fuck.ru/index.php, xrefs: 00407288
vvpupkin, xrefs: 00407367
http://crutop.ru/index.php, xrefs: 0040720F
http://mazafaka.ru/index.php, xrefs: 00407226
http://color-bank.ru/index.php, xrefs: 00407243
http://lovingod.host.sk/index.php, xrefs: 004072EA
crutop, xrefs: 0040736C
http://cvv.ru/index.php, xrefs: 00407324
http://asechka.ru/index.php, xrefs: 0040725A
ofs_kk, xrefs: 00407382
http://hackers.lv/index.php, xrefs: 0040733B
http://www.redline.ru/index.php, xrefs: 0040730D
http://goldensand.ru/index.php, xrefs: 004072A5
http://devx.nm.ru/index.php, xrefs: 004072D3

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Explorer, xrefs: 00406C58
Visa, xrefs: 00406DCF
MasterCard, xrefs: 00406DB8
DocObject, xrefs: 00406C49
Authorization Failed., xrefs: 00406CEF
Card && expiration date, xrefs: 00406EB6
Your card number, xrefs: 00406EF5
ATM PIN-Code, xrefs: 00406F67
Click Once To Continue, xrefs: 004070C3
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
EDIT, xrefs: 0040701A, 00407050, 0040708C
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
BUTTON, xrefs: 004070C8
Please make corrections and try again., xrefs: 00406FDF
KingKarton, xrefs: 00406CBB

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</script>, xrefs: 00405E55
</head>, xrefs: 00405C1F
</body><html>, xrefs: 00405ED6
<body>, xrefs: 00405C59
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
<html>, xrefs: 00405ABA
<script>, xrefs: 00405CAE
<head>, xrefs: 00405B5B
.htm, xrefs: 00405A9A
%ssetTimeout("x()",%u);, xrefs: 00405E1B
function x(), xrefs: 00405CF7
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
X-okRecv11, xrefs: 004061B4
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
Path, xrefs: 00405FED
D, xrefs: 0040609F

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040566E
IEFrame, xrefs: 0040572F
X-okRecv11, xrefs: 0040578F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
1601, xrefs: 004053ED
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 00000008.00000002.1979002610.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1978981284.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979025838.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979061860.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979083966.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979137677.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1979151293.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jkbbioja.exePID: 4280, Parent PID: 6748COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kk32.vxd, xrefs: 00407B74
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
surf.dat, xrefs: 00407BD4
Software\Microsoft, xrefs: 00407E24
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
3, xrefs: 00407AB6
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
KingKarton_10, xrefs: 00407968, 00407D9A
%s\%s.exe, xrefs: 00407AD6
kernel32.dll, xrefs: 00407DBE
RegisterServiceProcess, xrefs: 00407DC8
2, xrefs: 00407ABD
dnkk.dll, xrefs: 00407BA7
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Apartment, xrefs: 004043EC
Jbogli32, xrefs: 00404377, 0040437C
Web Event Logger, xrefs: 00404408
CLSID\%s\InProcServer32, xrefs: 004043B2
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
2, xrefs: 0040431D
%s\%s.dll, xrefs: 0040433C

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jbogli32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-342642129
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://fethard.biz/index.htm, xrefs: 004075C1
:, xrefs: 00407654
http://promo.ru/index.htm, xrefs: 00407442
http://kavkaz.ru/index.htm, xrefs: 00407587
http://parex-bank.ru/index.htm, xrefs: 00407553
%s\command.pif, xrefs: 00407726
%s /C %s, xrefs: 00407768
%s\Rtdx1%i.dat, xrefs: 004077DC
http://cvv.ru/index.htm, xrefs: 0040749F
%s\cmd.exe, xrefs: 004076F2
http://crutop.nu/index.htm, xrefs: 004074B9
\command.com, xrefs: 00407737
/, xrefs: 0040781B
:%02u, xrefs: 00407682
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.ru/index.htm, xrefs: 004074DF
:, xrefs: 00407661
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://kadet.ru/index.htm, xrefs: 00407485
http://konfiskat.org/index.htm, xrefs: 00407539
2, xrefs: 00407601
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://xware.cjb.net/index.htm, xrefs: 00407513
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://ldark.nm.ru/index.htm, xrefs: 00407415
wupd , xrefs: 0040778C
%s\cmd.pif, xrefs: 004076D6
%s/Rtdx1%i.htm, xrefs: 00407857

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
DocObject, xrefs: 004066E5
KingKarton, xrefs: 00406746
Full Name, xrefs: 004069F3
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
MasterCard, xrefs: 0040692D
ATM PIN-Code, xrefs: 00406AE3
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Your card number, xrefs: 00406A71
Security Measures, xrefs: 0040677A
Visa, xrefs: 0040693F
Please fill in the correct information to verify your identity., xrefs: 004068DB
Click Once To Continue, xrefs: 00406C0C
BUTTON, xrefs: 00406C11
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Card && expiration date, xrefs: 00406A38
Explorer, xrefs: 004066F4

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fethard.biz/index.php, xrefs: 00407352
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.nu/index.php, xrefs: 004071E6
http://asechka.ru/index.php, xrefs: 0040725A
http://trojan.ru/index.php, xrefs: 00407271
vvpupkin, xrefs: 00407367
crutop, xrefs: 0040736C
http://crutop.ru/index.php, xrefs: 0040720F
http://color-bank.ru/index.php, xrefs: 00407243
http://www.redline.ru/index.php, xrefs: 0040730D
http://cvv.ru/index.php, xrefs: 00407324
http://fuck.ru/index.php, xrefs: 00407288
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://hackers.lv/index.php, xrefs: 0040733B
ofs_kk, xrefs: 00407382
http://mazafaka.ru/index.php, xrefs: 00407226
http://goldensand.ru/index.php, xrefs: 004072A5
http://filesearch.ru/index.php, xrefs: 004072BC
http://devx.nm.ru/index.php, xrefs: 004072D3

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
DocObject, xrefs: 00406C49
KingKarton, xrefs: 00406CBB
MasterCard, xrefs: 00406DB8
ATM PIN-Code, xrefs: 00406F67
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Authorization Failed., xrefs: 00406CEF
Your card number, xrefs: 00406EF5
Visa, xrefs: 00406DCF
Click Once To Continue, xrefs: 004070C3
BUTTON, xrefs: 004070C8
EDIT, xrefs: 0040701A, 00407050, 0040708C
Card && expiration date, xrefs: 00406EB6
Please make corrections and try again., xrefs: 00406FDF
Explorer, xrefs: 00406C58

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

function x(), xrefs: 00405CF7
%s<title>%s%u</title>, xrefs: 00405BDF
</body><html>, xrefs: 00405ED6
MicroSoft-Corp, xrefs: 00405BD3
<script>, xrefs: 00405CAE
</head>, xrefs: 00405C1F
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%sself.parent.location="%s";, xrefs: 00405D7B
.htm, xrefs: 00405A9A
<body>, xrefs: 00405C59
</script>, xrefs: 00405E55
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<html>, xrefs: 00405ABA
<head>, xrefs: 00405B5B

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
D, xrefs: 0040609F
\Iexplore.exe , xrefs: 00406048
IEFrame, xrefs: 0040615D
X-okRecv11, xrefs: 004061B4
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
Path, xrefs: 00405FED

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040566E
\Iexplore.exe , xrefs: 0040561A
IEFrame, xrefs: 0040572F
X-okRecv11, xrefs: 0040578F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000009.00000002.1981390863.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1981359314.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981409119.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981441462.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981460089.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981478371.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1981498385.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jbogli32.exePID: 6008, Parent PID: 4280COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

%s\%s.exe, xrefs: 00407AD6
surf.dat, xrefs: 00407BD4
RegisterServiceProcess, xrefs: 00407DC8
kk32.vxd, xrefs: 00407B74
frm2, xrefs: 00407E1F
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
3, xrefs: 00407AB6
KingKarton_10, xrefs: 00407968, 00407D9A
2, xrefs: 00407ABD
dnkk.dll, xrefs: 00407BA7
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kk32.dll, xrefs: 00407B41
kernel32.dll, xrefs: 00407DBE
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
Apartment, xrefs: 004043EC
Kjjlpk32, xrefs: 00404377, 0040437C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
%s\%s.dll, xrefs: 0040433C
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Kjjlpk32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3335608422
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s\cmd.exe, xrefs: 004076F2
http://konfiskat.org/index.htm, xrefs: 00407539
http://crutop.nu/index.htm, xrefs: 004074B9
%s\Rtdx1%i.dat, xrefs: 004077DC
http://crutop.ru/index.htm, xrefs: 004074DF
:, xrefs: 00407654
http://kadet.ru/index.htm, xrefs: 00407485
\command.com, xrefs: 00407737
wupd , xrefs: 0040778C
http://fethard.biz/index.htm, xrefs: 004075C1
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s/Rtdx1%i.htm, xrefs: 00407857
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://kavkaz.ru/index.htm, xrefs: 00407587
http://xware.cjb.net/index.htm, xrefs: 00407513
http://cvv.ru/index.htm, xrefs: 0040749F
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s /C %s, xrefs: 00407768
:%02u, xrefs: 00407682
%s\command.pif, xrefs: 00407726
http://ldark.nm.ru/index.htm, xrefs: 00407415
:, xrefs: 00407661
http://promo.ru/index.htm, xrefs: 00407442
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://parex-bank.ru/index.htm, xrefs: 00407553
http://kidos-bank.ru/index.htm, xrefs: 0040756D
2, xrefs: 00407601
/, xrefs: 0040781B
%s\cmd.pif, xrefs: 004076D6

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

ATM PIN-Code, xrefs: 00406AE3
MasterCard, xrefs: 0040692D
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Please fill in the correct information to verify your identity., xrefs: 004068DB
Click Once To Continue, xrefs: 00406C0C
Your card number, xrefs: 00406A71
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Card && expiration date, xrefs: 00406A38
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Visa, xrefs: 0040693F
Explorer, xrefs: 004066F4
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Full Name, xrefs: 004069F3
Security Measures, xrefs: 0040677A
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
BUTTON, xrefs: 00406C11

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://asechka.ru/index.php, xrefs: 0040725A
http://fuck.ru/index.php, xrefs: 00407288
http://www.redline.ru/index.php, xrefs: 0040730D
crutop, xrefs: 0040736C
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://filesearch.ru/index.php, xrefs: 004072BC
vvpupkin, xrefs: 00407367
ofs_kk, xrefs: 00407382
http://devx.nm.ru/index.php, xrefs: 004072D3
http://mazafaka.ru/index.php, xrefs: 00407226
http://color-bank.ru/index.php, xrefs: 00407243
http://trojan.ru/index.php, xrefs: 00407271
http://goldensand.ru/index.php, xrefs: 004072A5
http://hackers.lv/index.php, xrefs: 0040733B
http://crutop.nu/index.php, xrefs: 004071E6
http://crutop.ru/index.php, xrefs: 0040720F
http://fethard.biz/index.php, xrefs: 00407352
http://cvv.ru/index.php, xrefs: 00407324

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

ATM PIN-Code, xrefs: 00406F67
MasterCard, xrefs: 00406DB8
Click Once To Continue, xrefs: 004070C3
Your card number, xrefs: 00406EF5
Card && expiration date, xrefs: 00406EB6
EDIT, xrefs: 0040701A, 00407050, 0040708C
Authorization Failed., xrefs: 00406CEF
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Visa, xrefs: 00406DCF
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Explorer, xrefs: 00406C58
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
BUTTON, xrefs: 004070C8

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
<head>, xrefs: 00405B5B
function x(), xrefs: 00405CF7
<body>, xrefs: 00405C59
</head>, xrefs: 00405C1F
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</body><html>, xrefs: 00405ED6
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
MicroSoft-Corp, xrefs: 00405BD3
<html>, xrefs: 00405ABA
%s<title>%s%u</title>, xrefs: 00405BDF
%sself.parent.location="%s";, xrefs: 00405D7B
</script>, xrefs: 00405E55

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128
Path, xrefs: 00405FED
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
Path, xrefs: 0040557E
\Iexplore.exe , xrefs: 0040561A
D, xrefs: 0040566E
IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
GlobalUserOffline, xrefs: 00405413
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 0000000A.00000002.1981480371.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1981463244.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981500181.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981518334.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981535468.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981554111.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1981574426.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Kjjlpk32.exePID: 6668, Parent PID: 6008COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kk32.vxd, xrefs: 00407B74
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
3, xrefs: 00407AB6
dnkk.dll, xrefs: 00407BA7
frm2, xrefs: 00407E1F
kernel32.dll, xrefs: 00407DBE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
%s\%s.exe, xrefs: 00407AD6
surf.dat, xrefs: 00407BD4
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.dll, xrefs: 00407B41
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
RegisterServiceProcess, xrefs: 00407DC8
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
2, xrefs: 00407ABD
Software\Microsoft, xrefs: 00407E24

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Web Event Logger, xrefs: 00404408
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Apartment, xrefs: 004043EC
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
3, xrefs: 00404316
Kkjhjn32, xrefs: 00404377, 0040437C

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Kkjhjn32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3315599610
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

\command.com, xrefs: 00407737
http://cvv.ru/index.htm, xrefs: 0040749F
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407661
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.ru/index.htm, xrefs: 004074DF
http://crutop.nu/index.htm, xrefs: 004074B9
http://promo.ru/index.htm, xrefs: 00407442
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s /C %s, xrefs: 00407768
http://mazafaka.ru/index.htm, xrefs: 004074F9
/, xrefs: 0040781B
http://fethard.biz/index.htm, xrefs: 004075C1
http://kavkaz.ru/index.htm, xrefs: 00407587
:%02u, xrefs: 00407682
2, xrefs: 00407601
wupd , xrefs: 0040778C
%s\command.pif, xrefs: 00407726
http://parex-bank.ru/index.htm, xrefs: 00407553
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\Rtdx1%i.dat, xrefs: 004077DC
:, xrefs: 00407654
%s/Rtdx1%i.htm, xrefs: 00407857
http://kadet.ru/index.htm, xrefs: 00407485
http://konfiskat.org/index.htm, xrefs: 00407539

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
Visa, xrefs: 0040693F
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
ATM PIN-Code, xrefs: 00406AE3
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Security Measures, xrefs: 0040677A
MasterCard, xrefs: 0040692D
Click Once To Continue, xrefs: 00406C0C
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Please fill in the correct information to verify your identity., xrefs: 004068DB
Your card number, xrefs: 00406A71
KingKarton, xrefs: 00406746
Explorer, xrefs: 004066F4
BUTTON, xrefs: 00406C11
3-digit validation code on back of card (cvv2), xrefs: 00406AAA

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://goldensand.ru/index.php, xrefs: 004072A5
http://www.redline.ru/index.php, xrefs: 0040730D
ofs_kk, xrefs: 00407382
http://devx.nm.ru/index.php, xrefs: 004072D3
http://fethard.biz/index.php, xrefs: 00407352
http://cvv.ru/index.php, xrefs: 00407324
http://hackers.lv/index.php, xrefs: 0040733B
vvpupkin, xrefs: 00407367
http://fuck.ru/index.php, xrefs: 00407288
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.ru/index.php, xrefs: 0040720F
crutop, xrefs: 0040736C
http://crutop.nu/index.php, xrefs: 004071E6
http://asechka.ru/index.php, xrefs: 0040725A
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://color-bank.ru/index.php, xrefs: 00407243
http://mazafaka.ru/index.php, xrefs: 00407226
http://trojan.ru/index.php, xrefs: 00407271
http://filesearch.ru/index.php, xrefs: 004072BC

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

EDIT, xrefs: 0040701A, 00407050, 0040708C
Authorization Failed., xrefs: 00406CEF
DocObject, xrefs: 00406C49
Card && expiration date, xrefs: 00406EB6
Visa, xrefs: 00406DCF
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
ATM PIN-Code, xrefs: 00406F67
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8
Click Once To Continue, xrefs: 004070C3
Your card number, xrefs: 00406EF5
KingKarton, xrefs: 00406CBB
Explorer, xrefs: 00406C58
BUTTON, xrefs: 004070C8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Please make corrections and try again., xrefs: 00406FDF

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
<html>, xrefs: 00405ABA
MicroSoft-Corp, xrefs: 00405BD3
function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
</script>, xrefs: 00405E55
<body>, xrefs: 00405C59
%sself.parent.location="%s";, xrefs: 00405D7B
</head>, xrefs: 00405C1F

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
X-okRecv11, xrefs: 004061B4
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
D, xrefs: 0040609F
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
D, xrefs: 0040566E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
BrowseNewProcess, xrefs: 0040542C
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 0000000B.00000002.1982547116.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1982532563.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982562302.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982619934.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982634475.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982648037.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1982663077.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Kkjhjn32.exePID: 7112, Parent PID: 6668COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

surf.dat, xrefs: 00407BD4
kk32.dll, xrefs: 00407B41
dnkk.dll, xrefs: 00407BA7
KingKarton_10, xrefs: 00407968, 00407D9A
Software\Microsoft, xrefs: 00407E24
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
%s\%s.exe, xrefs: 00407AD6
3, xrefs: 00407AB6
kk32.vxd, xrefs: 00407B74
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kernel32.dll, xrefs: 00407DBE
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
2, xrefs: 00407ABD
frm2, xrefs: 00407E1F
RegisterServiceProcess, xrefs: 00407DC8

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
%s\%s.dll, xrefs: 0040433C
Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Khnicb32, xrefs: 00404377, 0040437C
CLSID\%s\InProcServer32, xrefs: 004043B2
3, xrefs: 00404316
ThreadingModel, xrefs: 004043F1

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Khnicb32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1356434055
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.htm, xrefs: 004074F9
http://fethard.biz/index.htm, xrefs: 004075C1
%s\cmd.pif, xrefs: 004076D6
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
wupd , xrefs: 0040778C
http://kadet.ru/index.htm, xrefs: 00407485
http://parex-bank.ru/index.htm, xrefs: 00407553
http://kidos-bank.ru/index.htm, xrefs: 0040756D
:, xrefs: 00407661
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407654
%s\command.pif, xrefs: 00407726
:%02u, xrefs: 00407682
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://cvv.ru/index.htm, xrefs: 0040749F
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s/Rtdx1%i.htm, xrefs: 00407857
/, xrefs: 0040781B
http://xware.cjb.net/index.htm, xrefs: 00407513
http://promo.ru/index.htm, xrefs: 00407442
\command.com, xrefs: 00407737
2, xrefs: 00407601
%s\Rtdx1%i.dat, xrefs: 004077DC
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.nu/index.htm, xrefs: 004074B9
%s /C %s, xrefs: 00407768
http://kavkaz.ru/index.htm, xrefs: 00407587
http://konfiskat.org/index.htm, xrefs: 00407539
http://crutop.ru/index.htm, xrefs: 004074DF

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Security Measures, xrefs: 0040677A
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Full Name, xrefs: 004069F3
Your card number, xrefs: 00406A71
Card && expiration date, xrefs: 00406A38
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Click Once To Continue, xrefs: 00406C0C
Visa, xrefs: 0040693F
BUTTON, xrefs: 00406C11
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
Please fill in the correct information to verify your identity., xrefs: 004068DB
Explorer, xrefs: 004066F4
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
ATM PIN-Code, xrefs: 00406AE3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://devx.nm.ru/index.php, xrefs: 004072D3
http://cvv.ru/index.php, xrefs: 00407324
http://fuck.ru/index.php, xrefs: 00407288
crutop, xrefs: 0040736C
http://goldensand.ru/index.php, xrefs: 004072A5
http://www.redline.ru/index.php, xrefs: 0040730D
ofs_kk, xrefs: 00407382
vvpupkin, xrefs: 00407367
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://asechka.ru/index.php, xrefs: 0040725A
http://fethard.biz/index.php, xrefs: 00407352
http://mazafaka.ru/index.php, xrefs: 00407226
http://crutop.nu/index.php, xrefs: 004071E6
http://hackers.lv/index.php, xrefs: 0040733B
http://crutop.ru/index.php, xrefs: 0040720F
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://trojan.ru/index.php, xrefs: 00407271

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406F2E
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Your card number, xrefs: 00406EF5
Card && expiration date, xrefs: 00406EB6
Authorization Failed., xrefs: 00406CEF
EDIT, xrefs: 0040701A, 00407050, 0040708C
Click Once To Continue, xrefs: 004070C3
Visa, xrefs: 00406DCF
BUTTON, xrefs: 004070C8
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
Explorer, xrefs: 00406C58
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
ATM PIN-Code, xrefs: 00406F67
MasterCard, xrefs: 00406DB8
Please make corrections and try again., xrefs: 00406FDF

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
</script>, xrefs: 00405E55
%sself.parent.location="%s";, xrefs: 00405D7B
function x(), xrefs: 00405CF7
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
MicroSoft-Corp, xrefs: 00405BD3
%s<title>%s%u</title>, xrefs: 00405BDF
<head>, xrefs: 00405B5B
</head>, xrefs: 00405C1F
<script>, xrefs: 00405CAE
<body>, xrefs: 00405C59
</body><html>, xrefs: 00405ED6
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040609F
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Path, xrefs: 00405FED
X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
1601, xrefs: 004053ED
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
GlobalUserOffline, xrefs: 00405413
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlInitUnicodeString, xrefs: 00402AAC
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 0000000C.00000002.1985545476.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1985494680.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985567194.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985624794.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985638069.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985650730.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1985704536.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Khnicb32.exePID: 7184, Parent PID: 7112COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kernel32.dll, xrefs: 00407DBE
dnkk.dll, xrefs: 00407BA7
kk32.dll, xrefs: 00407B41
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
KingKarton_10, xrefs: 00407968, 00407D9A
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
2, xrefs: 00407ABD
%s\%s.exe, xrefs: 00407AD6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
RegisterServiceProcess, xrefs: 00407DC8
Software\Microsoft, xrefs: 00407E24
surf.dat, xrefs: 00407BD4
kk32.vxd, xrefs: 00407B74
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
3, xrefs: 00407AB6
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

CLSID\%s\InProcServer32, xrefs: 004043B2
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Khbbobom, xrefs: 00404377, 0040437C
Apartment, xrefs: 004043EC
3, xrefs: 00404316
2, xrefs: 0040431D
ThreadingModel, xrefs: 004043F1
Web Event Logger, xrefs: 00404408
%s\%s.dll, xrefs: 0040433C
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Khbbobom$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-636811236
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://kidos-bank.ru/index.htm, xrefs: 0040756D
:, xrefs: 00407661
http://fethard.biz/index.htm, xrefs: 004075C1
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://crutop.ru/index.htm, xrefs: 004074DF
http://parex-bank.ru/index.htm, xrefs: 00407553
http://konfiskat.org/index.htm, xrefs: 00407539
http://promo.ru/index.htm, xrefs: 00407442
%s/Rtdx1%i.htm, xrefs: 00407857
wupd , xrefs: 0040778C
%s\cmd.exe, xrefs: 004076F2
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\cmd.pif, xrefs: 004076D6
%s /C %s, xrefs: 00407768
%s\Rtdx1%i.dat, xrefs: 004077DC
/, xrefs: 0040781B
%s\command.pif, xrefs: 00407726
:, xrefs: 00407654
http://cvv.ru/index.htm, xrefs: 0040749F
2, xrefs: 00407601
\command.com, xrefs: 00407737
http://kadet.ru/index.htm, xrefs: 00407485
:%02u, xrefs: 00407682
http://kavkaz.ru/index.htm, xrefs: 00407587
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://xware.cjb.net/index.htm, xrefs: 00407513
http://crutop.nu/index.htm, xrefs: 004074B9

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Click Once To Continue, xrefs: 00406C0C
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Your card number, xrefs: 00406A71
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Please fill in the correct information to verify your identity., xrefs: 004068DB
KingKarton, xrefs: 00406746
Explorer, xrefs: 004066F4
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
BUTTON, xrefs: 00406C11
Security Measures, xrefs: 0040677A
DocObject, xrefs: 004066E5
MasterCard, xrefs: 0040692D
Visa, xrefs: 0040693F
ATM PIN-Code, xrefs: 00406AE3
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Card && expiration date, xrefs: 00406A38
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Full Name, xrefs: 004069F3

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://crutop.ru/index.php, xrefs: 0040720F
vvpupkin, xrefs: 00407367
http://goldensand.ru/index.php, xrefs: 004072A5
crutop, xrefs: 0040736C
http://trojan.ru/index.php, xrefs: 00407271
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://asechka.ru/index.php, xrefs: 0040725A
http://mazafaka.ru/index.php, xrefs: 00407226
http://hackers.lv/index.php, xrefs: 0040733B
http://www.redline.ru/index.php, xrefs: 0040730D
http://cvv.ru/index.php, xrefs: 00407324
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://fuck.ru/index.php, xrefs: 00407288
http://crutop.nu/index.php, xrefs: 004071E6
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382
http://fethard.biz/index.php, xrefs: 00407352

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Click Once To Continue, xrefs: 004070C3
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Your card number, xrefs: 00406EF5
KingKarton, xrefs: 00406CBB
Explorer, xrefs: 00406C58
BUTTON, xrefs: 004070C8
DocObject, xrefs: 00406C49
MasterCard, xrefs: 00406DB8
Please make corrections and try again., xrefs: 00406FDF
Visa, xrefs: 00406DCF
ATM PIN-Code, xrefs: 00406F67
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Authorization Failed., xrefs: 00406CEF
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Card && expiration date, xrefs: 00406EB6
EDIT, xrefs: 0040701A, 00407050, 0040708C
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
<head>, xrefs: 00405B5B
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
<body>, xrefs: 00405C59
%sself.parent.location="%s";, xrefs: 00405D7B

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
D, xrefs: 0040609F
Path, xrefs: 00405FED
X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
IEFrame, xrefs: 0040615D
\Iexplore.exe , xrefs: 00406048
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 0000000D.00000002.1987451625.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1987436334.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987471681.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987530153.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987548511.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987621189.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1987634399.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Khbbobom.exePID: 7200, Parent PID: 7184COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

RegisterServiceProcess, xrefs: 00407DC8
2, xrefs: 00407ABD
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.vxd, xrefs: 00407B74
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kk32.dll, xrefs: 00407B41
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
3, xrefs: 00407AB6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
%s\%s.exe, xrefs: 00407AD6
kernel32.dll, xrefs: 00407DBE
dnkk.dll, xrefs: 00407BA7
surf.dat, xrefs: 00407BD4

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

3, xrefs: 00404316
ThreadingModel, xrefs: 004043F1
Apartment, xrefs: 004043EC
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Lbmcmgck, xrefs: 00404377, 0040437C
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Lbmcmgck$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-711008957
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

2, xrefs: 00407601
:, xrefs: 00407661
http://kavkaz.ru/index.htm, xrefs: 00407587
http://promo.ru/index.htm, xrefs: 00407442
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s\cmd.pif, xrefs: 004076D6
http://parex-bank.ru/index.htm, xrefs: 00407553
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://xware.cjb.net/index.htm, xrefs: 00407513
:%02u, xrefs: 00407682
/, xrefs: 0040781B
http://konfiskat.org/index.htm, xrefs: 00407539
http://mazafaka.ru/index.htm, xrefs: 004074F9
wupd , xrefs: 0040778C
%s\Rtdx1%i.dat, xrefs: 004077DC
\command.com, xrefs: 00407737
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://crutop.ru/index.htm, xrefs: 004074DF
%s\cmd.exe, xrefs: 004076F2
http://fethard.biz/index.htm, xrefs: 004075C1
:, xrefs: 00407654
%s /C %s, xrefs: 00407768
http://crutop.nu/index.htm, xrefs: 004074B9
http://cvv.ru/index.htm, xrefs: 0040749F
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s\command.pif, xrefs: 00407726
%s/Rtdx1%i.htm, xrefs: 00407857
http://kadet.ru/index.htm, xrefs: 00407485

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Card && expiration date, xrefs: 00406A38
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Your card number, xrefs: 00406A71
KingKarton, xrefs: 00406746
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
MasterCard, xrefs: 0040692D
Please fill in the correct information to verify your identity., xrefs: 004068DB
Click Once To Continue, xrefs: 00406C0C
DocObject, xrefs: 004066E5
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
ATM PIN-Code, xrefs: 00406AE3
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Explorer, xrefs: 004066F4
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Security Measures, xrefs: 0040677A
Visa, xrefs: 0040693F

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

vvpupkin, xrefs: 00407367
http://color-bank.ru/index.php, xrefs: 00407243
crutop, xrefs: 0040736C
http://hackers.lv/index.php, xrefs: 0040733B
http://asechka.ru/index.php, xrefs: 0040725A
http://crutop.ru/index.php, xrefs: 0040720F
http://filesearch.ru/index.php, xrefs: 004072BC
http://cvv.ru/index.php, xrefs: 00407324
http://fethard.biz/index.php, xrefs: 00407352
ofs_kk, xrefs: 00407382
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://devx.nm.ru/index.php, xrefs: 004072D3
http://mazafaka.ru/index.php, xrefs: 00407226
http://www.redline.ru/index.php, xrefs: 0040730D
http://goldensand.ru/index.php, xrefs: 004072A5
http://fuck.ru/index.php, xrefs: 00407288
http://crutop.nu/index.php, xrefs: 004071E6
http://trojan.ru/index.php, xrefs: 00407271

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Authorization Failed., xrefs: 00406CEF
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Card && expiration date, xrefs: 00406EB6
Your card number, xrefs: 00406EF5
KingKarton, xrefs: 00406CBB
MasterCard, xrefs: 00406DB8
Click Once To Continue, xrefs: 004070C3
DocObject, xrefs: 00406C49
BUTTON, xrefs: 004070C8
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Please make corrections and try again., xrefs: 00406FDF
ATM PIN-Code, xrefs: 00406F67
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Explorer, xrefs: 00406C58
EDIT, xrefs: 0040701A, 00407050, 0040708C
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Visa, xrefs: 00406DCF

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<head>, xrefs: 00405B5B
function x(), xrefs: 00405CF7
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</head>, xrefs: 00405C1F
%s<title>%s%u</title>, xrefs: 00405BDF
%ssetTimeout("x()",%u);, xrefs: 00405E1B
</body><html>, xrefs: 00405ED6
<body>, xrefs: 00405C59
<script>, xrefs: 00405CAE
</script>, xrefs: 00405E55
.htm, xrefs: 00405A9A
%sself.parent.location="%s";, xrefs: 00405D7B
<html>, xrefs: 00405ABA
MicroSoft-Corp, xrefs: 00405BD3

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
X-okRecv11, xrefs: 004061B4
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
1601, xrefs: 004053ED
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 0000000E.00000002.1988679848.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1988666514.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988693951.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988710737.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988722985.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988735112.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1988972523.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Lbmcmgck.exePID: 7216, Parent PID: 7200COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
KingKarton_10, xrefs: 00407968, 00407D9A
2, xrefs: 00407ABD
kk32.dll, xrefs: 00407B41
Software\Microsoft, xrefs: 00407E24
frm2, xrefs: 00407E1F
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kk32.vxd, xrefs: 00407B74
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
dnkk.dll, xrefs: 00407BA7
%s\%s.exe, xrefs: 00407AD6
RegisterServiceProcess, xrefs: 00407DC8
surf.dat, xrefs: 00407BD4
3, xrefs: 00407AB6
kernel32.dll, xrefs: 00407DBE

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
Lqbqnc32, xrefs: 00404377, 0040437C
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
%s\%s.dll, xrefs: 0040433C
ThreadingModel, xrefs: 004043F1
Web Event Logger, xrefs: 00404408
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Lqbqnc32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2308158327
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 00407415
http://konfiskat.org/index.htm, xrefs: 00407539
http://fethard.biz/index.htm, xrefs: 004075C1
http://xware.cjb.net/index.htm, xrefs: 00407513
:, xrefs: 00407661
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
wupd , xrefs: 0040778C
http://cvv.ru/index.htm, xrefs: 0040749F
http://mazafaka.ru/index.htm, xrefs: 004074F9
:%02u, xrefs: 00407682
http://kadet.ru/index.htm, xrefs: 00407485
/, xrefs: 0040781B
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s\command.pif, xrefs: 00407726
http://promo.ru/index.htm, xrefs: 00407442
http://kavkaz.ru/index.htm, xrefs: 00407587
http://crutop.nu/index.htm, xrefs: 004074B9
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
\command.com, xrefs: 00407737
2, xrefs: 00407601
http://parex-bank.ru/index.htm, xrefs: 00407553
%s\cmd.exe, xrefs: 004076F2
%s /C %s, xrefs: 00407768
%s\Rtdx1%i.dat, xrefs: 004077DC
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://crutop.ru/index.htm, xrefs: 004074DF
%s/Rtdx1%i.htm, xrefs: 00407857
%s\cmd.pif, xrefs: 004076D6
:, xrefs: 00407654

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Explorer, xrefs: 004066F4
Your card number, xrefs: 00406A71
BUTTON, xrefs: 00406C11
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Click Once To Continue, xrefs: 00406C0C
Visa, xrefs: 0040693F
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Security Measures, xrefs: 0040677A
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
MasterCard, xrefs: 0040692D
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
ATM PIN-Code, xrefs: 00406AE3
Please fill in the correct information to verify your identity., xrefs: 004068DB

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

ofs_kk, xrefs: 00407382
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://trojan.ru/index.php, xrefs: 00407271
http://goldensand.ru/index.php, xrefs: 004072A5
http://color-bank.ru/index.php, xrefs: 00407243
http://asechka.ru/index.php, xrefs: 0040725A
vvpupkin, xrefs: 00407367
http://crutop.ru/index.php, xrefs: 0040720F
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.nu/index.php, xrefs: 004071E6
crutop, xrefs: 0040736C
http://mazafaka.ru/index.php, xrefs: 00407226
http://filesearch.ru/index.php, xrefs: 004072BC
http://cvv.ru/index.php, xrefs: 00407324
http://fuck.ru/index.php, xrefs: 00407288
http://fethard.biz/index.php, xrefs: 00407352
http://devx.nm.ru/index.php, xrefs: 004072D3
http://hackers.lv/index.php, xrefs: 0040733B

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Authorization Failed., xrefs: 00406CEF
Explorer, xrefs: 00406C58
Please make corrections and try again., xrefs: 00406FDF
Your card number, xrefs: 00406EF5
BUTTON, xrefs: 004070C8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Click Once To Continue, xrefs: 004070C3
Visa, xrefs: 00406DCF
EDIT, xrefs: 0040701A, 00407050, 0040708C
Card && expiration date, xrefs: 00406EB6
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
ATM PIN-Code, xrefs: 00406F67

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<head>, xrefs: 00405B5B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
MicroSoft-Corp, xrefs: 00405BD3
</body><html>, xrefs: 00405ED6
<html>, xrefs: 00405ABA
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
%sself.parent.location="%s";, xrefs: 00405D7B
<body>, xrefs: 00405C59
%s<title>%s%u</title>, xrefs: 00405BDF

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
IEFrame, xrefs: 0040615D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
BrowseNewProcess, xrefs: 0040542C
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 0000000F.00000002.1990149392.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1990092243.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990432302.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990453239.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990505125.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990519563.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1990533609.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Lqbqnc32.exePID: 7232, Parent PID: 7216COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
surf.dat, xrefs: 00407BD4
dnkk.dll, xrefs: 00407BA7
Software\Microsoft, xrefs: 00407E24
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
3, xrefs: 00407AB6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
%s\%s.exe, xrefs: 00407AD6
frm2, xrefs: 00407E1F
KingKarton_10, xrefs: 00407968, 00407D9A
2, xrefs: 00407ABD
kernel32.dll, xrefs: 00407DBE
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
RegisterServiceProcess, xrefs: 00407DC8
kk32.dll, xrefs: 00407B41
kk32.vxd, xrefs: 00407B74

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

%s\%s.dll, xrefs: 0040433C
ThreadingModel, xrefs: 004043F1
Lileeqgb, xrefs: 00404377, 0040437C
CLSID\%s\InProcServer32, xrefs: 004043B2
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Lileeqgb$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1130128081
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://cvv.ru/index.htm, xrefs: 0040749F
:%02u, xrefs: 00407682
http://fethard.biz/index.htm, xrefs: 004075C1
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://konfiskat.org/index.htm, xrefs: 00407539
%s\command.pif, xrefs: 00407726
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
2, xrefs: 00407601
:, xrefs: 00407661
%s\Rtdx1%i.dat, xrefs: 004077DC
http://parex-bank.ru/index.htm, xrefs: 00407553
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.ru/index.htm, xrefs: 004074DF
%s\cmd.exe, xrefs: 004076F2
http://crutop.nu/index.htm, xrefs: 004074B9
\command.com, xrefs: 00407737
:, xrefs: 00407654
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://promo.ru/index.htm, xrefs: 00407442
/, xrefs: 0040781B
%s\cmd.pif, xrefs: 004076D6
%s/Rtdx1%i.htm, xrefs: 00407857
http://xware.cjb.net/index.htm, xrefs: 00407513
wupd , xrefs: 0040778C
http://kavkaz.ru/index.htm, xrefs: 00407587
%s /C %s, xrefs: 00407768

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Visa, xrefs: 0040693F
ATM PIN-Code, xrefs: 00406AE3
KingKarton, xrefs: 00406746
Please fill in the correct information to verify your identity., xrefs: 004068DB
MasterCard, xrefs: 0040692D
Security Measures, xrefs: 0040677A
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Your card number, xrefs: 00406A71
Click Once To Continue, xrefs: 00406C0C
DocObject, xrefs: 004066E5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
BUTTON, xrefs: 00406C11
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Explorer, xrefs: 004066F4

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://filesearch.ru/index.php, xrefs: 004072BC
http://cvv.ru/index.php, xrefs: 00407324
http://mazafaka.ru/index.php, xrefs: 00407226
http://trojan.ru/index.php, xrefs: 00407271
http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://www.redline.ru/index.php, xrefs: 0040730D
vvpupkin, xrefs: 00407367
http://crutop.nu/index.php, xrefs: 004071E6
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://color-bank.ru/index.php, xrefs: 00407243
http://asechka.ru/index.php, xrefs: 0040725A
http://devx.nm.ru/index.php, xrefs: 004072D3
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://crutop.ru/index.php, xrefs: 0040720F
http://fuck.ru/index.php, xrefs: 00407288
http://hackers.lv/index.php, xrefs: 0040733B
http://goldensand.ru/index.php, xrefs: 004072A5
ofs_kk, xrefs: 00407382

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Visa, xrefs: 00406DCF
Authorization Failed., xrefs: 00406CEF
ATM PIN-Code, xrefs: 00406F67
KingKarton, xrefs: 00406CBB
Please make corrections and try again., xrefs: 00406FDF
MasterCard, xrefs: 00406DB8
EDIT, xrefs: 0040701A, 00407050, 0040708C
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Your card number, xrefs: 00406EF5
Click Once To Continue, xrefs: 004070C3
DocObject, xrefs: 00406C49
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
BUTTON, xrefs: 004070C8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Card && expiration date, xrefs: 00406EB6
Explorer, xrefs: 00406C58

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<body>, xrefs: 00405C59
<html>, xrefs: 00405ABA
<script>, xrefs: 00405CAE
<head>, xrefs: 00405B5B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
MicroSoft-Corp, xrefs: 00405BD3
%ssetTimeout("x()",%u);, xrefs: 00405E1B
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
</body><html>, xrefs: 00405ED6

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

\Iexplore.exe , xrefs: 00406048
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
X-okRecv11, xrefs: 004061B4
IEFrame, xrefs: 0040615D
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

\Iexplore.exe , xrefs: 0040561A
%s%u - Microsoft Internet Explorer, xrefs: 00405705
X-okRecv11, xrefs: 0040578F
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700
Path, xrefs: 0040557E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413
1601, xrefs: 004053ED
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
NtUnmapViewOfSection, xrefs: 00402ABC
RtlNtStatusToDosError, xrefs: 00402AF8
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000010.00000002.1991842995.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1991812213.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991869947.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991897037.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991920214.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991942302.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1991962189.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Lileeqgb.exePID: 7248, Parent PID: 7232COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
3, xrefs: 00407AB6
RegisterServiceProcess, xrefs: 00407DC8
kernel32.dll, xrefs: 00407DBE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
surf.dat, xrefs: 00407BD4
%s\%s.exe, xrefs: 00407AD6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
dnkk.dll, xrefs: 00407BA7
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Software\Microsoft, xrefs: 00407E24
2, xrefs: 00407ABD
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.vxd, xrefs: 00407B74
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

%s\%s.dll, xrefs: 0040433C
Web Event Logger, xrefs: 00404408
Lgqbfmlj, xrefs: 00404377, 0040437C
Apartment, xrefs: 004043EC
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
3, xrefs: 00404316
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Lgqbfmlj$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1326097330
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

D6J., xrefs: 004040AB, 0040411B, 0040417A, 004041DC

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: D6J.
API String ID: 0-3281265428
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://kavkaz.ru/index.htm, xrefs: 00407587
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
wupd , xrefs: 0040778C
:%02u, xrefs: 00407682
%s\cmd.exe, xrefs: 004076F2
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://konfiskat.org/index.htm, xrefs: 00407539
%s\command.pif, xrefs: 00407726
2, xrefs: 00407601
http://fethard.biz/index.htm, xrefs: 004075C1
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://ldark.nm.ru/index.htm, xrefs: 00407415
:, xrefs: 00407654
http://ldark.nm.ru/index.htm, xrefs: 004075A7
/, xrefs: 0040781B
http://crutop.ru/index.htm, xrefs: 004074DF
http://crutop.nu/index.htm, xrefs: 004074B9
%s\cmd.pif, xrefs: 004076D6
http://xware.cjb.net/index.htm, xrefs: 00407513
http://kadet.ru/index.htm, xrefs: 00407485
http://promo.ru/index.htm, xrefs: 00407442
:, xrefs: 00407661
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://cvv.ru/index.htm, xrefs: 0040749F
%s/Rtdx1%i.htm, xrefs: 00407857
\command.com, xrefs: 00407737
http://parex-bank.ru/index.htm, xrefs: 00407553
%s\Rtdx1%i.dat, xrefs: 004077DC
%s /C %s, xrefs: 00407768

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Your card number, xrefs: 00406A71
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
ATM PIN-Code, xrefs: 00406AE3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Explorer, xrefs: 004066F4
Click Once To Continue, xrefs: 00406C0C
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Security Measures, xrefs: 0040677A
KingKarton, xrefs: 00406746
Visa, xrefs: 0040693F
DocObject, xrefs: 004066E5
Please fill in the correct information to verify your identity., xrefs: 004068DB
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Card && expiration date, xrefs: 00406A38
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
MasterCard, xrefs: 0040692D

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://asechka.ru/index.php, xrefs: 0040725A
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://cvv.ru/index.php, xrefs: 00407324
http://fuck.ru/index.php, xrefs: 00407288
ofs_kk, xrefs: 00407382
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://fethard.biz/index.php, xrefs: 00407352
vvpupkin, xrefs: 00407367
http://crutop.ru/index.php, xrefs: 0040720F
crutop, xrefs: 0040736C
http://crutop.nu/index.php, xrefs: 004071E6
http://hackers.lv/index.php, xrefs: 0040733B
http://www.redline.ru/index.php, xrefs: 0040730D
http://trojan.ru/index.php, xrefs: 00407271
http://devx.nm.ru/index.php, xrefs: 004072D3
http://goldensand.ru/index.php, xrefs: 004072A5
http://mazafaka.ru/index.php, xrefs: 00407226

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Your card number, xrefs: 00406EF5
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
ATM PIN-Code, xrefs: 00406F67
Please make corrections and try again., xrefs: 00406FDF
Explorer, xrefs: 00406C58
Click Once To Continue, xrefs: 004070C3
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
KingKarton, xrefs: 00406CBB
Visa, xrefs: 00406DCF
Authorization Failed., xrefs: 00406CEF
DocObject, xrefs: 00406C49
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
EDIT, xrefs: 0040701A, 00407050, 0040708C
Card && expiration date, xrefs: 00406EB6
BUTTON, xrefs: 004070C8
MasterCard, xrefs: 00406DB8

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</body><html>, xrefs: 00405ED6
.htm, xrefs: 00405A9A
%ssetTimeout("x()",%u);, xrefs: 00405E1B
MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
function x(), xrefs: 00405CF7
<script>, xrefs: 00405CAE
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%s<title>%s%u</title>, xrefs: 00405BDF
<head>, xrefs: 00405B5B
</script>, xrefs: 00405E55
<body>, xrefs: 00405C59
%sself.parent.location="%s";, xrefs: 00405D7B
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 004061B4
\Iexplore.exe , xrefs: 00406048
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
IEFrame, xrefs: 0040615D
D, xrefs: 0040609F
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
%s%u - Microsoft Internet Explorer, xrefs: 00405705
D, xrefs: 0040566E
IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
Path, xrefs: 0040557E
MicroSoft-Corp, xrefs: 00405700

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000011.00000002.1992921664.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1992905191.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1992970209.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993036044.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993056877.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993075518.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1993134642.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Lgqbfmlj.exePID: 7264, Parent PID: 7248COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
Software\Microsoft, xrefs: 00407E24
RegisterServiceProcess, xrefs: 00407DC8
kernel32.dll, xrefs: 00407DBE
kk32.vxd, xrefs: 00407B74
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
frm2, xrefs: 00407E1F
KingKarton_10, xrefs: 00407968, 00407D9A
surf.dat, xrefs: 00407BD4
kk32.dll, xrefs: 00407B41
3, xrefs: 00407AB6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
2, xrefs: 00407ABD
%s\%s.exe, xrefs: 00407AD6
dnkk.dll, xrefs: 00407BA7
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
Mbiciein, xrefs: 00404377, 0040437C
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
3, xrefs: 00404316
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mbiciein$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3871679422
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.htm, xrefs: 004074F9
http://kadet.ru/index.htm, xrefs: 00407485
/, xrefs: 0040781B
%s\cmd.pif, xrefs: 004076D6
http://konfiskat.org/index.htm, xrefs: 00407539
:%02u, xrefs: 00407682
:, xrefs: 00407654
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://cvv.ru/index.htm, xrefs: 0040749F
2, xrefs: 00407601
http://crutop.ru/index.htm, xrefs: 004074DF
\command.com, xrefs: 00407737
http://fethard.biz/index.htm, xrefs: 004075C1
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s\Rtdx1%i.dat, xrefs: 004077DC
%s /C %s, xrefs: 00407768
%s\cmd.exe, xrefs: 004076F2
http://kavkaz.ru/index.htm, xrefs: 00407587
http://promo.ru/index.htm, xrefs: 00407442
http://crutop.nu/index.htm, xrefs: 004074B9
wupd , xrefs: 0040778C
%s\command.pif, xrefs: 00407726
http://parex-bank.ru/index.htm, xrefs: 00407553
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s/Rtdx1%i.htm, xrefs: 00407857
http://xware.cjb.net/index.htm, xrefs: 00407513
:, xrefs: 00407661

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406746
ATM PIN-Code, xrefs: 00406AE3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Click Once To Continue, xrefs: 00406C0C
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
BUTTON, xrefs: 00406C11
Security Measures, xrefs: 0040677A
Explorer, xrefs: 004066F4
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Please fill in the correct information to verify your identity., xrefs: 004068DB
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
MasterCard, xrefs: 0040692D
DocObject, xrefs: 004066E5
Your card number, xrefs: 00406A71
Visa, xrefs: 0040693F
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

ofs_kk, xrefs: 00407382
crutop, xrefs: 0040736C
http://crutop.nu/index.php, xrefs: 004071E6
http://asechka.ru/index.php, xrefs: 0040725A
http://trojan.ru/index.php, xrefs: 00407271
http://fuck.ru/index.php, xrefs: 00407288
http://cvv.ru/index.php, xrefs: 00407324
http://goldensand.ru/index.php, xrefs: 004072A5
http://fethard.biz/index.php, xrefs: 00407352
vvpupkin, xrefs: 00407367
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.ru/index.php, xrefs: 0040720F
http://filesearch.ru/index.php, xrefs: 004072BC
http://devx.nm.ru/index.php, xrefs: 004072D3
http://hackers.lv/index.php, xrefs: 0040733B
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://mazafaka.ru/index.php, xrefs: 00407226
http://color-bank.ru/index.php, xrefs: 00407243

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406CBB
ATM PIN-Code, xrefs: 00406F67
Authorization Failed., xrefs: 00406CEF
Click Once To Continue, xrefs: 004070C3
BUTTON, xrefs: 004070C8
Explorer, xrefs: 00406C58
Card && expiration date, xrefs: 00406EB6
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
MasterCard, xrefs: 00406DB8
DocObject, xrefs: 00406C49
Your card number, xrefs: 00406EF5
Visa, xrefs: 00406DCF
EDIT, xrefs: 0040701A, 00407050, 0040708C

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
%ssetTimeout("x()",%u);, xrefs: 00405E1B
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
<html>, xrefs: 00405ABA
%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
<script>, xrefs: 00405CAE
<body>, xrefs: 00405C59
</body><html>, xrefs: 00405ED6
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<head>, xrefs: 00405B5B
</script>, xrefs: 00405E55

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00406128
IEFrame, xrefs: 0040615D
\Iexplore.exe , xrefs: 00406048
X-okRecv11, xrefs: 004061B4
Path, xrefs: 00405FED
D, xrefs: 0040609F
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00405700
IEFrame, xrefs: 0040572F
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
Path, xrefs: 0040557E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
Software\Microsoft\IE Setup\Setup, xrefs: 00405583

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000012.00000002.1994543221.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1994529778.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994565007.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994583063.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994596954.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994610248.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1994623199.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Xtks4KI16J.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SysWOW64\Alqeloga.dll

C:\Windows\SysWOW64\Beofla32.dll

C:\Windows\SysWOW64\Biiggc32.dll

C:\Windows\SysWOW64\Cacope32.dll

C:\Windows\SysWOW64\Ckllojnq.dll

C:\Windows\SysWOW64\Cmjgejad.dll

C:\Windows\SysWOW64\Dajmooqf.dll

C:\Windows\SysWOW64\Dblkhkce.dll

C:\Windows\SysWOW64\Efqdik32.dll

C:\Windows\SysWOW64\Egobfg32.dll

C:\Windows\SysWOW64\Ekicli32.dll

C:\Windows\SysWOW64\Epibpnek.dll

C:\Windows\SysWOW64\Fpianhmj.dll

C:\Windows\SysWOW64\Gedgjccb.dll

C:\Windows\SysWOW64\Ghhjiigd.dll

C:\Windows\SysWOW64\Gjdogi32.dll

C:\Windows\SysWOW64\Glblcojl.dll

C:\Windows\SysWOW64\Hdlllf32.dll

Windows Analysis Report
Xtks4KI16J.exe