Windows Analysis Report
f6t9qa761D.exe

Overview

General Information

Sample name:	f6t9qa761D.exe renamed because original name is a hash value
Original sample name:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Analysis ID:	1515137
MD5:	f66386730c3497ca644c7e77d5d793b0
SHA1:	5da659a3e0af11bc6202517eacca18f4014b705d
SHA256:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
Tags:	exeuser-Chainskilabs
Infos:

Detection

Berbew, Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Berbew

Yara detected Njrat

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Berbew		No Attribution	https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/	https://malpedia.caad.fkie.fraunhofer.de/details/win.berbew

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f6t9qa761D.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://color-bank.ru/index.php	Avira URL Cloud: Label: malware
Source: http://parex-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://kidos-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://ros-neftbank.ru/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cboabb32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Caghjf32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abagca32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efhade32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Akecacdm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Afeaee32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abnopf32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Clajoglf.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Flbkld32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abgiogom.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Beadgadc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Fompebbg.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Doaepp32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for domain / URL

Source: http://gaz-prom.ru/index.htm	Virustotal: Detection: 8%	Perma Link
Source: http://kidos-bank.ru/index.htm	Virustotal: Detection: 12%	Perma Link
Source: http://mazafaka.ru/index.htm	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\Abagca32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Abnopf32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Afeaee32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Akecacdm.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Caghjf32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Cboabb32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Cjemgabj.dll	ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Clajoglf.dll	ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Doaepp32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Eakcoodc.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Eeflcm32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Efhade32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Efljmjpm.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Eoifoe32.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Flbkld32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Folfac32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Fompebbg.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Gdcmha32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gfhipbln.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Ihifngfk.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Imjgmahp.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Jdlgaj32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Jflaad32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Jhemcd32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Jpegka32.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Kbelgk32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Khhkcgiq.dll	ReversingLabs: Detection: 90%

Multi AV Scanner detection for submitted file

Source: f6t9qa761D.exe	Virustotal: Detection: 91%			Perma Link
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cboabb32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Caghjf32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abagca32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efhade32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Akecacdm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Afeaee32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abnopf32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Clajoglf.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Flbkld32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abgiogom.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Beadgadc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fompebbg.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Doaepp32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f6t9qa761D.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 0043001Eh	1_2_0043000C
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D01h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then inc eax	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403CD7h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D37h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 04h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403D1Fh	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add ebx, 04h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jl 00403D74h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 0Ch	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then pop edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 00408F6Ch	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E23h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 0042E3D0h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E83h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D01h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then inc eax	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403CD7h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D37h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 04h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403D1Fh	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add ebx, 04h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jl 00403D74h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 0Ch	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then pop edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E23h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E83h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], esi	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 00403DAAh	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov edx, dword ptr [eax+08h]	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [ebx], edx	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D01h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then inc eax	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403CD7h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D37h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 04h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403D1Fh	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add ebx, 04h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jl 00403D74h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 0Ch	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then pop edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 00408F6Ch	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E23h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 0042E3D0h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E83h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], esi	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [ebx], edx	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D01h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then inc eax	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403CD7h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D37h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 04h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403D1Fh	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add ebx, 04h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jl 00403D74h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 0Ch	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then pop edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 00408F6Ch	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E23h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 0042E3D0h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E83h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pushad	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], esi	5_2_0043009F
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D01h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then inc eax	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403CD7h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D37h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 04h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403D1Fh	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add ebx, 04h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jl 00403D74h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 0Ch	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pop edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E23h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 0042E3D0h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E83h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_0042FE60
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D01h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then inc eax	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403CD7h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D37h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 04h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403D1Fh	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add ebx, 04h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jl 00403D74h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 0Ch	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then pop edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 00408F6Ch	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E23h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 0042E3D0h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E83h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pushad	7_2_00430000
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D01h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then inc eax	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403CD7h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D37h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 04h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403D1Fh	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add ebx, 04h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jl 00403D74h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 0Ch	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pop edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E23h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E83h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D01h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then inc eax	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403CD7h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D37h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403D1Fh	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add ebx, 04h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jl 00403D74h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 0Ch	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then pop edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 00408F6Ch	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E23h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 0042E3D0h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E83h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pushad	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D01h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403CD7h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D37h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 04h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403D1Fh	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add ebx, 04h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jl 00403D74h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 0Ch	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pop edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E23h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E83h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 00401000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D01h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then inc eax	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403CD7h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D37h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 04h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403D1Fh	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add ebx, 04h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jl 00403D74h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 0Ch	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E23h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E83h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], esi	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then cmp ebx, ecx	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D01h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then inc eax	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403CD7h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D37h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 04h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403D1Fh	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add ebx, 04h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jl 00403D74h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 0Ch	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 00408F6Ch	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E23h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 0042E3D0h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E83h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then call 0043000Ch	11_2_0042FE60
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pushad	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then cmp eax, 00000000h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 004300D2h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], esi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D01h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then inc eax	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403CD7h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov eax, 0042B000h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D37h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 04h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403D1Fh	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add ebx, 04h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jl 00403D74h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 0Ch	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ebx, 00408F6Ch	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then sub ecx, eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then push eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00403DC3

Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://asechka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://color-bank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.php
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nuAWM
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://devx.nm.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://filesearch.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fuck.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://gaz-prom.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://goldensand.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://hackers.lv/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kadet.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kavkaz.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kidos-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://konfiskat.org/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ldark.nm.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://lovingod.host.sk/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://parex-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://potleaf.chat.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://promo.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ros-neftbank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://trojan.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://www.redline.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://xware.cjb.net/index.htm

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

PE file has a writeable .text section

Source: f6t9qa761D.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jagibbdg.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jokilfca.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kegnnphk.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Knccbbff.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkgclgep.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkipaf32.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Loplncai.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mlfimg32.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mhmiah32.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mddjfiih.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mbhkpnhb.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mkqoicnb.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mdicai32.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mfhplllf.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nncepn32.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nmdeneap.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfmigk32.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nnhnkmek.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ninbhfea.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfacbjdk.exe.20.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Npjgkp32.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Opldpphi.exe.22.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiehie32.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Obmmbkej.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oleakplj.exe.25.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiibddkd.exe.26.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ofmbni32.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Onigbk32.exe.28.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pnkdgk32.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plaafobm.exe.30.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plfjan32.exe.31.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abgiogom.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Afeaee32.exe.33.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Apmfnklc.exe.34.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aiejgqbd.exe.35.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abnopf32.exe.36.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Boepdgoi.exe.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bmfpbogh.exe.38.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Beadgadc.exe.39.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Creates files inside the system directory

Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408F18 appears 42 times

Uses 32bit PE files

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.evad.winEXE@78/79@0/0

Source: f6t9qa761D.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f6t9qa761D.exe	Virustotal: Detection: 91%
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

File read: C:\Users\user\Desktop\f6t9qa761D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f6t9qa761D.exe "C:\Users\user\Desktop\f6t9qa761D.exe"
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: ntmarta.dll

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .fldo

PE file contains sections with non-standard names

Source: f6t9qa761D.exe	Static PE information: section name: .fldo
Source: f6t9qa761D.exe	Static PE information: section name: .l1
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .fldo
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .l1
Source: Jokilfca.exe.2.dr	Static PE information: section name: .fldo
Source: Jokilfca.exe.2.dr	Static PE information: section name: .l1
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .fldo
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .l1
Source: Knccbbff.exe.4.dr	Static PE information: section name: .fldo
Source: Knccbbff.exe.4.dr	Static PE information: section name: .l1
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .fldo
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .l1
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .fldo
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .l1
Source: Loplncai.exe.7.dr	Static PE information: section name: .fldo
Source: Loplncai.exe.7.dr	Static PE information: section name: .l1
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .fldo
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .l1
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .fldo
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .l1
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .fldo
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .l1
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .fldo
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .l1
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .fldo
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .l1
Source: Mdicai32.exe.13.dr	Static PE information: section name: .fldo
Source: Mdicai32.exe.13.dr	Static PE information: section name: .l1
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .fldo
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .l1
Source: Nncepn32.exe.15.dr	Static PE information: section name: .fldo
Source: Nncepn32.exe.15.dr	Static PE information: section name: .l1
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .fldo
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .l1
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .fldo
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .l1
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .fldo
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .l1
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .fldo
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .l1
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .fldo
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .l1
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .fldo
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .l1
Source: Opldpphi.exe.22.dr	Static PE information: section name: .fldo
Source: Opldpphi.exe.22.dr	Static PE information: section name: .l1
Source: Oiehie32.exe.23.dr	Static PE information: section name: .fldo
Source: Oiehie32.exe.23.dr	Static PE information: section name: .l1
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .fldo
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .l1
Source: Oleakplj.exe.25.dr	Static PE information: section name: .fldo
Source: Oleakplj.exe.25.dr	Static PE information: section name: .l1
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .fldo
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .l1
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .fldo
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .l1
Source: Onigbk32.exe.28.dr	Static PE information: section name: .fldo
Source: Onigbk32.exe.28.dr	Static PE information: section name: .l1
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .fldo
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .l1
Source: Plaafobm.exe.30.dr	Static PE information: section name: .fldo
Source: Plaafobm.exe.30.dr	Static PE information: section name: .l1
Source: Plfjan32.exe.31.dr	Static PE information: section name: .fldo
Source: Plfjan32.exe.31.dr	Static PE information: section name: .l1
Source: Abgiogom.exe.32.dr	Static PE information: section name: .fldo
Source: Abgiogom.exe.32.dr	Static PE information: section name: .l1
Source: Afeaee32.exe.33.dr	Static PE information: section name: .fldo
Source: Afeaee32.exe.33.dr	Static PE information: section name: .l1
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .fldo
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .l1
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .fldo
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .l1
Source: Abnopf32.exe.36.dr	Static PE information: section name: .fldo
Source: Abnopf32.exe.36.dr	Static PE information: section name: .l1
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .fldo
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .l1
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .fldo
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .l1
Source: Beadgadc.exe.39.dr	Static PE information: section name: .fldo
Source: Beadgadc.exe.39.dr	Static PE information: section name: .l1

Source: f6t9qa761D.exe	Static PE information: section name: .text entropy: 7.129435722610816
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .text entropy: 7.162455714032348
Source: Jokilfca.exe.2.dr	Static PE information: section name: .text entropy: 7.15982708692499
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .text entropy: 7.162131595786184
Source: Knccbbff.exe.4.dr	Static PE information: section name: .text entropy: 7.16380020135791
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .text entropy: 7.199588493733589
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .text entropy: 7.158411480101382
Source: Loplncai.exe.7.dr	Static PE information: section name: .text entropy: 7.111314339012284
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .text entropy: 7.20545575363383
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .text entropy: 7.111854620392808
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .text entropy: 7.17622940485195
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .text entropy: 7.161093985501556
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .text entropy: 6.949372414467907
Source: Mdicai32.exe.13.dr	Static PE information: section name: .text entropy: 7.183156955694525
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .text entropy: 7.181495996708354
Source: Nncepn32.exe.15.dr	Static PE information: section name: .text entropy: 7.152756617942734
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .text entropy: 7.174675474540074
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .text entropy: 7.13576525796639
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .text entropy: 7.159687221034241
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .text entropy: 7.168950881448808
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .text entropy: 6.915128603158092
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .text entropy: 7.099734896483985
Source: Opldpphi.exe.22.dr	Static PE information: section name: .text entropy: 7.160455727491319
Source: Oiehie32.exe.23.dr	Static PE information: section name: .text entropy: 6.969272790137508
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .text entropy: 7.119068507640744
Source: Oleakplj.exe.25.dr	Static PE information: section name: .text entropy: 7.149858436442656
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .text entropy: 7.1400998969697005
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .text entropy: 7.199901196794614
Source: Onigbk32.exe.28.dr	Static PE information: section name: .text entropy: 7.148718122099703
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .text entropy: 7.128193719864745
Source: Plaafobm.exe.30.dr	Static PE information: section name: .text entropy: 7.123151697015828
Source: Plfjan32.exe.31.dr	Static PE information: section name: .text entropy: 7.1645055122231325
Source: Abgiogom.exe.32.dr	Static PE information: section name: .text entropy: 7.15783186302685
Source: Afeaee32.exe.33.dr	Static PE information: section name: .text entropy: 7.133443618227196
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .text entropy: 7.148829340156794
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .text entropy: 7.073021381214775
Source: Abnopf32.exe.36.dr	Static PE information: section name: .text entropy: 7.180049933586281
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .text entropy: 7.062278259438176
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .text entropy: 7.159488419401522
Source: Beadgadc.exe.39.dr	Static PE information: section name: .text entropy: 7.1897567359449726

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\Ninbhfea.exe	Executable created and started: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Afeaee32.exe	Executable created and started: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Executable created and started: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Executable created and started: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Executable created and started: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Executable created and started: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plfjan32.exe	Executable created and started: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Executable created and started: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Executable created and started: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Executable created and started: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Executable created and started: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Executable created and started: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Executable created and started: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Executable created and started: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Executable created and started: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Executable created and started: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Executable created and started: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Executable created and started: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Onigbk32.exe	Executable created and started: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Executable created and started: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Executable created and started: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Executable created and started: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Executable created and started: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Executable created and started: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Executable created and started: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Abgiogom.exe	Executable created and started: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Executable created and started: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Executable created and started: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plaafobm.exe	Executable created and started: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Executable created and started: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Executable created and started: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Executable created and started: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Executable created and started: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Executable created and started: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Executable created and started: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Executable created and started: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Executable created and started: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Executable created and started: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\Kegnnphk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file

Stealing of Sensitive Information

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

Remote Access Functionality

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f6t9qa761D.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://color-bank.ru/index.php	Avira URL Cloud: Label: malware
Source: http://parex-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://kidos-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://ros-neftbank.ru/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cboabb32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Caghjf32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abagca32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efhade32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Akecacdm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Afeaee32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abnopf32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Clajoglf.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Flbkld32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abgiogom.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Beadgadc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Fompebbg.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Doaepp32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for domain / URL

Source: http://gaz-prom.ru/index.htm	Virustotal: Detection: 8%	Perma Link
Source: http://kidos-bank.ru/index.htm	Virustotal: Detection: 12%	Perma Link
Source: http://mazafaka.ru/index.htm	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\Abagca32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Abnopf32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Afeaee32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Akecacdm.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Caghjf32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Cboabb32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Cjemgabj.dll	ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Clajoglf.dll	ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Doaepp32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Eakcoodc.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Eeflcm32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Efhade32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Efljmjpm.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Eoifoe32.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Flbkld32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Folfac32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Fompebbg.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Gdcmha32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gfhipbln.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Ihifngfk.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Imjgmahp.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Jdlgaj32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Jflaad32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Jhemcd32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Jpegka32.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Kbelgk32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Khhkcgiq.dll	ReversingLabs: Detection: 90%

Multi AV Scanner detection for submitted file

Source: f6t9qa761D.exe	Virustotal: Detection: 91%			Perma Link
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cboabb32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Caghjf32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abagca32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efhade32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Akecacdm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Afeaee32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abnopf32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Clajoglf.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Flbkld32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abgiogom.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Beadgadc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fompebbg.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Doaepp32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f6t9qa761D.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 0043001Eh	1_2_0043000C
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D01h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then inc eax	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403CD7h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D37h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 04h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403D1Fh	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add ebx, 04h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jl 00403D74h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 0Ch	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then pop edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 00408F6Ch	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E23h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 0042E3D0h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E83h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D01h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then inc eax	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403CD7h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D37h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 04h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403D1Fh	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add ebx, 04h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jl 00403D74h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 0Ch	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then pop edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E23h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E83h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], esi	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 00403DAAh	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov edx, dword ptr [eax+08h]	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [ebx], edx	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D01h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then inc eax	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403CD7h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D37h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 04h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403D1Fh	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add ebx, 04h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jl 00403D74h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 0Ch	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then pop edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 00408F6Ch	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E23h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 0042E3D0h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E83h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], esi	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [ebx], edx	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D01h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then inc eax	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403CD7h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D37h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 04h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403D1Fh	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add ebx, 04h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jl 00403D74h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 0Ch	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then pop edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 00408F6Ch	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E23h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 0042E3D0h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E83h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pushad	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], esi	5_2_0043009F
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D01h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then inc eax	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403CD7h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D37h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 04h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403D1Fh	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add ebx, 04h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jl 00403D74h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 0Ch	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pop edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E23h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 0042E3D0h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E83h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_0042FE60
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D01h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then inc eax	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403CD7h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D37h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 04h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403D1Fh	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add ebx, 04h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jl 00403D74h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 0Ch	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then pop edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 00408F6Ch	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E23h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 0042E3D0h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E83h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pushad	7_2_00430000
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D01h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then inc eax	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403CD7h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D37h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 04h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403D1Fh	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add ebx, 04h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jl 00403D74h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 0Ch	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pop edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E23h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E83h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D01h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then inc eax	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403CD7h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D37h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403D1Fh	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add ebx, 04h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jl 00403D74h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 0Ch	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then pop edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 00408F6Ch	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E23h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 0042E3D0h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E83h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pushad	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D01h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403CD7h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D37h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 04h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403D1Fh	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add ebx, 04h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jl 00403D74h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 0Ch	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pop edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E23h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E83h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 00401000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D01h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then inc eax	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403CD7h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D37h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 04h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403D1Fh	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add ebx, 04h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jl 00403D74h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 0Ch	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E23h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E83h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], esi	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then cmp ebx, ecx	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D01h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then inc eax	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403CD7h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D37h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 04h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403D1Fh	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add ebx, 04h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jl 00403D74h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 0Ch	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 00408F6Ch	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E23h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 0042E3D0h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E83h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then call 0043000Ch	11_2_0042FE60
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pushad	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then cmp eax, 00000000h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 004300D2h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], esi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D01h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then inc eax	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403CD7h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov eax, 0042B000h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D37h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 04h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403D1Fh	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add ebx, 04h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jl 00403D74h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 0Ch	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ebx, 00408F6Ch	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then sub ecx, eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then push eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00403DC3

Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://asechka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://color-bank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.php
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nuAWM
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://devx.nm.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://filesearch.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fuck.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://gaz-prom.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://goldensand.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://hackers.lv/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kadet.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kavkaz.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kidos-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://konfiskat.org/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ldark.nm.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://lovingod.host.sk/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://parex-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://potleaf.chat.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://promo.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ros-neftbank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://trojan.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://www.redline.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://xware.cjb.net/index.htm

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

PE file has a writeable .text section

Source: f6t9qa761D.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jagibbdg.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jokilfca.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kegnnphk.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Knccbbff.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkgclgep.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkipaf32.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Loplncai.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mlfimg32.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mhmiah32.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mddjfiih.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mbhkpnhb.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mkqoicnb.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mdicai32.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mfhplllf.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nncepn32.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nmdeneap.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfmigk32.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nnhnkmek.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ninbhfea.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfacbjdk.exe.20.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Npjgkp32.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Opldpphi.exe.22.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiehie32.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Obmmbkej.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oleakplj.exe.25.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiibddkd.exe.26.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ofmbni32.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Onigbk32.exe.28.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pnkdgk32.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plaafobm.exe.30.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plfjan32.exe.31.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abgiogom.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Afeaee32.exe.33.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Apmfnklc.exe.34.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aiejgqbd.exe.35.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abnopf32.exe.36.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Boepdgoi.exe.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bmfpbogh.exe.38.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Beadgadc.exe.39.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Creates files inside the system directory

Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408F18 appears 42 times

Uses 32bit PE files

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.evad.winEXE@78/79@0/0

Source: f6t9qa761D.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f6t9qa761D.exe	Virustotal: Detection: 91%
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

File read: C:\Users\user\Desktop\f6t9qa761D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f6t9qa761D.exe "C:\Users\user\Desktop\f6t9qa761D.exe"
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: ntmarta.dll

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .fldo

PE file contains sections with non-standard names

Source: f6t9qa761D.exe	Static PE information: section name: .fldo
Source: f6t9qa761D.exe	Static PE information: section name: .l1
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .fldo
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .l1
Source: Jokilfca.exe.2.dr	Static PE information: section name: .fldo
Source: Jokilfca.exe.2.dr	Static PE information: section name: .l1
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .fldo
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .l1
Source: Knccbbff.exe.4.dr	Static PE information: section name: .fldo
Source: Knccbbff.exe.4.dr	Static PE information: section name: .l1
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .fldo
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .l1
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .fldo
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .l1
Source: Loplncai.exe.7.dr	Static PE information: section name: .fldo
Source: Loplncai.exe.7.dr	Static PE information: section name: .l1
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .fldo
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .l1
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .fldo
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .l1
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .fldo
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .l1
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .fldo
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .l1
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .fldo
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .l1
Source: Mdicai32.exe.13.dr	Static PE information: section name: .fldo
Source: Mdicai32.exe.13.dr	Static PE information: section name: .l1
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .fldo
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .l1
Source: Nncepn32.exe.15.dr	Static PE information: section name: .fldo
Source: Nncepn32.exe.15.dr	Static PE information: section name: .l1
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .fldo
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .l1
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .fldo
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .l1
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .fldo
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .l1
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .fldo
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .l1
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .fldo
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .l1
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .fldo
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .l1
Source: Opldpphi.exe.22.dr	Static PE information: section name: .fldo
Source: Opldpphi.exe.22.dr	Static PE information: section name: .l1
Source: Oiehie32.exe.23.dr	Static PE information: section name: .fldo
Source: Oiehie32.exe.23.dr	Static PE information: section name: .l1
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .fldo
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .l1
Source: Oleakplj.exe.25.dr	Static PE information: section name: .fldo
Source: Oleakplj.exe.25.dr	Static PE information: section name: .l1
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .fldo
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .l1
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .fldo
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .l1
Source: Onigbk32.exe.28.dr	Static PE information: section name: .fldo
Source: Onigbk32.exe.28.dr	Static PE information: section name: .l1
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .fldo
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .l1
Source: Plaafobm.exe.30.dr	Static PE information: section name: .fldo
Source: Plaafobm.exe.30.dr	Static PE information: section name: .l1
Source: Plfjan32.exe.31.dr	Static PE information: section name: .fldo
Source: Plfjan32.exe.31.dr	Static PE information: section name: .l1
Source: Abgiogom.exe.32.dr	Static PE information: section name: .fldo
Source: Abgiogom.exe.32.dr	Static PE information: section name: .l1
Source: Afeaee32.exe.33.dr	Static PE information: section name: .fldo
Source: Afeaee32.exe.33.dr	Static PE information: section name: .l1
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .fldo
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .l1
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .fldo
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .l1
Source: Abnopf32.exe.36.dr	Static PE information: section name: .fldo
Source: Abnopf32.exe.36.dr	Static PE information: section name: .l1
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .fldo
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .l1
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .fldo
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .l1
Source: Beadgadc.exe.39.dr	Static PE information: section name: .fldo
Source: Beadgadc.exe.39.dr	Static PE information: section name: .l1

Source: f6t9qa761D.exe	Static PE information: section name: .text entropy: 7.129435722610816
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .text entropy: 7.162455714032348
Source: Jokilfca.exe.2.dr	Static PE information: section name: .text entropy: 7.15982708692499
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .text entropy: 7.162131595786184
Source: Knccbbff.exe.4.dr	Static PE information: section name: .text entropy: 7.16380020135791
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .text entropy: 7.199588493733589
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .text entropy: 7.158411480101382
Source: Loplncai.exe.7.dr	Static PE information: section name: .text entropy: 7.111314339012284
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .text entropy: 7.20545575363383
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .text entropy: 7.111854620392808
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .text entropy: 7.17622940485195
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .text entropy: 7.161093985501556
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .text entropy: 6.949372414467907
Source: Mdicai32.exe.13.dr	Static PE information: section name: .text entropy: 7.183156955694525
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .text entropy: 7.181495996708354
Source: Nncepn32.exe.15.dr	Static PE information: section name: .text entropy: 7.152756617942734
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .text entropy: 7.174675474540074
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .text entropy: 7.13576525796639
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .text entropy: 7.159687221034241
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .text entropy: 7.168950881448808
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .text entropy: 6.915128603158092
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .text entropy: 7.099734896483985
Source: Opldpphi.exe.22.dr	Static PE information: section name: .text entropy: 7.160455727491319
Source: Oiehie32.exe.23.dr	Static PE information: section name: .text entropy: 6.969272790137508
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .text entropy: 7.119068507640744
Source: Oleakplj.exe.25.dr	Static PE information: section name: .text entropy: 7.149858436442656
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .text entropy: 7.1400998969697005
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .text entropy: 7.199901196794614
Source: Onigbk32.exe.28.dr	Static PE information: section name: .text entropy: 7.148718122099703
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .text entropy: 7.128193719864745
Source: Plaafobm.exe.30.dr	Static PE information: section name: .text entropy: 7.123151697015828
Source: Plfjan32.exe.31.dr	Static PE information: section name: .text entropy: 7.1645055122231325
Source: Abgiogom.exe.32.dr	Static PE information: section name: .text entropy: 7.15783186302685
Source: Afeaee32.exe.33.dr	Static PE information: section name: .text entropy: 7.133443618227196
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .text entropy: 7.148829340156794
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .text entropy: 7.073021381214775
Source: Abnopf32.exe.36.dr	Static PE information: section name: .text entropy: 7.180049933586281
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .text entropy: 7.062278259438176
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .text entropy: 7.159488419401522
Source: Beadgadc.exe.39.dr	Static PE information: section name: .text entropy: 7.1897567359449726

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\Ninbhfea.exe	Executable created and started: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Afeaee32.exe	Executable created and started: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Executable created and started: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Executable created and started: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Executable created and started: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Executable created and started: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plfjan32.exe	Executable created and started: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Executable created and started: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Executable created and started: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Executable created and started: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Executable created and started: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Executable created and started: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Executable created and started: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Executable created and started: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Executable created and started: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Executable created and started: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Executable created and started: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Executable created and started: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Onigbk32.exe	Executable created and started: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Executable created and started: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Executable created and started: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Executable created and started: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Executable created and started: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Executable created and started: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Executable created and started: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Abgiogom.exe	Executable created and started: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Executable created and started: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Executable created and started: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plaafobm.exe	Executable created and started: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Executable created and started: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Executable created and started: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Executable created and started: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Executable created and started: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Executable created and started: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Executable created and started: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Executable created and started: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Executable created and started: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Executable created and started: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\Kegnnphk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file

Stealing of Sensitive Information

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

Remote Access Functionality

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

ID:	1515137
Product:	CloudBasic
Start time:	19:47:10
Start date:	21.09.2024
Sample:	f6t9qa761D.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f66386730c3497ca644c7e77d5d793b0
SHA1:	5da659a3e0af11bc6202517eacca18f4014b705d
SHA256:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Windows\SysWOW64\Abagca32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	924F2E2C01119B4B7DB4E9FCBEDFEE6B	6CA567E2A20945BD3904813DD9255F26544674AE	CA087E968E197603EDFBB8545E4CC5781B4460585AF6F4E023F6D37C9583F802
C:\Windows\SysWOW64\Abgiogom.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5F5E82E399D074D5225D8C32138803C3	33C5F1F505C5D0DEA92656FB4C34BA9B0A1FCD1E	23F4A2F4A66079BF85977CA8F19162E2F31220130EFE553A48F4D0EE47B23668
C:\Windows\SysWOW64\Abnopf32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	193316C91B9FBD583AB86986F09C4F6C	A8A1CF7473A136CFCC72D5F7BFA4A5988C2FBDE3	5FE809742F82A55D1CD9F14FB617A0BA02B0FB55D7A6FD2D83CA37389B461FEF
C:\Windows\SysWOW64\Afeaee32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8B41C95F611B1B1A8C86BA70B3CC6443	0233E7AAB5532185202E3E783F0ACFD5D357A74A	F4B9CE3B2449CA71D6D4BB5CAED21C209E5165513A90B02DBAEAC515E6D654E0
C:\Windows\SysWOW64\Aiejgqbd.exe	PE32 executable (GUI) Intel 80386, for MS Windows	59BBE828FE074191C2D6054D26585CF3	38213AC7C83F8CAE8A993E4836A4270E2A17D5D4	AE8E28B21C0CBDC65ECC0C8B5945A24E111224E06DD3408F82E8983545D05E32
C:\Windows\SysWOW64\Akecacdm.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CEE6E288AD6B38D8BBF97E65A1123451	AC55FFA3F93CF020A4BB8C77FD896B298FADD1E9	0D016C563A51421A96EA1F9729883F49D68E468EC8380E55BEED3607684B1A64
C:\Windows\SysWOW64\Apmfnklc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E102B1D30DCF3D950377A7F84B677C5F	417D9292798A9368D36BB9939C8721CD626D9B7D	F176A45C0BA4D7687DE039BF0A0796F717351569355D75499D2B485DA796A036
C:\Windows\SysWOW64\Beadgadc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	83BC342BA3FE8DD1AF9C890781AE2AF6	3289903C9E8C2368DB36A2CA8BC5F8A68983ADDA	4E8A674A0EB9FD2352DA906D8BEA941279E02839A33C0517BC5A33E66E881C46
C:\Windows\SysWOW64\Bkmjkjhd.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	35FE0E360B1F7A5725956D894AAF36B9	42CFC23BD41EA9449AA8AE882596D8D176B11299	FF4B6BA5314B8E6C694D851087A1CD23A2FA6CB8135AE44E9CD0EF91F5F09172
C:\Windows\SysWOW64\Bmfpbogh.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B5A7058FBD260D483CAC8A6FCE0251AD	31928CEE8B8D2B9CA628D3A6F88C8E59793533B4	A3700E0D8D71495BAA4D851E7DF7A1A0EAE379587DD3006E7EDB375405B5D949
C:\Windows\SysWOW64\Boepdgoi.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B4F5C63C242907828BEEA09266B776DB	123D8AC21EE06D7D20C28A0DE58FCAEC45A27EAF	46445E595445A148E98C0FB84BA57F0F2EE530FB5DA5A0E2A2D98DF554103659
C:\Windows\SysWOW64\Caghjf32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	64136225BA16739C259FEC89D2168666	816B5B65DB454FF7063A5136D3ADE7862214E57B	F45B5F77FD6D30A4A7420AD87BE8852115BB42E7D40CD18463339674C1860845
C:\Windows\SysWOW64\Cboabb32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	80E8C9D75D9313191258BA49F262F492	E4C84A06C3CBB3925E3F766B5240E3C056E76A96	464BE5FB10645B82DDCE8E58BF44CF1B2ABE34832925C731169F6BDA3413B458
C:\Windows\SysWOW64\Cjemgabj.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	006FD4982B788739F76612206A4D1A23	BB505CE87554588966BB88C193C67751D830269C	7FB6D171F312EA263228F9D80F2BCDF78BEBDF4B5C643F5D7CFF3580E115060C
C:\Windows\SysWOW64\Clajoglf.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ED7C9A55D951474E190F5D44F9403171	C0358595FC37E2D4F41855385A00F95F597E12D4	2D54CD18839F3F0F80D9089B2549D7E03000D280A1864F5C0122AD36F36F4F51
C:\Windows\SysWOW64\Doaepp32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4F2F26BEA71EB92CE6560827063DB122	EDB0DA1FECC9C6E0EBFAB7F6C45A19F4C8E67C23	157DD86529B12D8D7F666D4C50CC1DE6F715BB4892C7DE83F7368992D6B03B21
C:\Windows\SysWOW64\Eakcoodc.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0066D8D68979FE4EF48D3746A2EA8243	AA1CF61AE117B0E9FAA9DC23EA52549E7ED356D9	07B49A4525D0FEC6A917FD393A3C30A02D40590078FC2CE4F6A8A4A55CD47388
C:\Windows\SysWOW64\Eeflcm32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A3C226AB846639AC74F41512AB609177	15040061CF0E054114DF8985AFF82A7C7C438380	CF23AC0171B637A0E7A34F16CFFEAD3EC5F5BDB331DBD554AE6BD34A89084DD4
C:\Windows\SysWOW64\Efhade32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BC2523277F8E21691424559FFB2810B4	0D376B1B8E863F9AE3609ADA88BD702E913E91D8	819FAEB8EDCBB63A69F41D1344F3E7BD46620E7FE6C04B3435FED507395DB430
C:\Windows\SysWOW64\Efljmjpm.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D47EB46F3E8FF9FC9879544A4AAAD26D	414A39614F56E239C8A0053FF2F38C1EC607F166	E0A01B2539F874134E3DA2409E426F62084449E8402517243F715ABBCD0C0100
C:\Windows\SysWOW64\Ekdhoi32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C11D8B1C5B73653E6E7874D05F37B261	0C535DA2BA890C3DFAA278D4A118865B613861AE	D9BF465C29FFD2B623F8E4F9ACA901C4720DA95FCB464685B1C76A60F9353C41
C:\Windows\SysWOW64\Eoifoe32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C6B46C8FD708B5D62BEEF8DA4A52EE2C	D7B1414A91833BCC896CDC5F2C7FE8C9A94CAE98	2C31B5BC2D1A4EE99095B098B430FC9AFDD5E2CDC73740E6D0385A3613BAE674
C:\Windows\SysWOW64\Fkcpdl32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	74A0679E8B0BA006C2F1B84F22801941	82611E48538B4E1D36F3BF70602E0EF823A586AB	8B50F4FFCEDAF0CFE8D0BE3AFCE285F351D22DBB9368ED66666D09DA31BBEFC1
C:\Windows\SysWOW64\Flbkld32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A8083857BFF070537C42FEAF95693386	F146237B0D0643E7E54C0F80B8020B2E77041D29	BF579C8D404665C4DC543FED0DE45DD5326634F4C3890DDC47E89FC110C870EB
C:\Windows\SysWOW64\Folfac32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	469912A014EB2528FC069182287EB861	571F3EB10A82749D512C9D21D00E4CD73E653DFA	D8FDD2DE9966329D996B0723ED6A1F2DC4B880F712ADAB99FA2CE005FFA422F9
C:\Windows\SysWOW64\Fompebbg.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	568B4B312EA4E5F9DBA5A67113235B96	77530C329C272C37A98AA05A1072C79370B28862	7CD64AAEE777AE4A1F30CC5AED111B45891B1D4F0FA8C8CEE7DFF95317AFF1FC
C:\Windows\SysWOW64\Gdcmha32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2FB0AFA51A44794EA477CDA3AE470700	EDF1CC0686FE4AAD3FAEFD67ACAF46E8BB826DD0	E789222553911D457AA49AAB17BB726D66704CA85753AF9EAF874C4ABD62BE14
C:\Windows\SysWOW64\Gfhipbln.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C54944745420BFE553230143B84D3CBF	FF2C2524751C19E744A0C3718E3CC941E04F88DA	07D79012DBCBA7D08922C8799C7C23D4EED3E231EE30D444D6D0464E3166988A
C:\Windows\SysWOW64\Gkehlfaa.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C6197152BE92C3015F925814CCEB8CE3	B491F09D39080FC184E95A7A5BE994472039935D	0E8EB2B49B833626298930D0C7A3890F554ABC8F5ABCCFA8FB30BD2F3B978481
C:\Windows\SysWOW64\Ihifngfk.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3F46D1C5999407ECDF3B32442990859A	A3DEDE6215F2355AE28ECAE6600C00D86EF04933	BAA7727AA74728D286C2D608F394B77A446B4ABE6060AA1288DB534B7EBAEB2F
C:\Windows\SysWOW64\Imjgmahp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	58ED4DDB90F9ABBB77BEAD7C50753E54	AA1462DBF1744E25102C3179B25E83483D06F489	3714AA4682380C940CF3C7BAED4D0AC53770AAC7979FB46C63C1EA70E1F7C727
C:\Windows\SysWOW64\Jagibbdg.exe	PE32 executable (GUI) Intel 80386, for MS Windows	124816B52FD54D9C0496C6E8F1AB2A5A	C0985F50A8961288598B9855D767F6AF7CA995A9	1392D2450BA9B05F7ACE11E99A1E64F1FAB48F3573AA3ADF94F7090AA88D3F80
C:\Windows\SysWOW64\Jagibbdg.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\SysWOW64\Jdlgaj32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B9289DFD71BC701290CA6C8C1C241752	1D8914A0FFABAAEDB7FC08D0D5A30792C5E42A6A	933BCC541BB48F3A8E2BCB583E7C14951A0393E9C0183CD864B2D80329DEB409
C:\Windows\SysWOW64\Jflaad32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F3B9F955A8C8FD462B40052A161F900D	612E4D9FBE7DCCC40561A29E1BF342387957CB54	3AC17C7143BB52EFE7A5F76B691E03F73216851464B8DFE72F568F5EA7DC1A12
C:\Windows\SysWOW64\Jhemcd32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BED6E6B5A867E743FE1637B918E61E69	FBFBC7A26A279D6751715E7FD405B93C309CD095	6291D3D3FF43263C125EB51AF62503403452891889FC639EB45CBEB4762F77FE
C:\Windows\SysWOW64\Jokilfca.exe	PE32 executable (GUI) Intel 80386, for MS Windows	AC30565C2AC0057322C2E64F3CC0FBF6	7F658C08A27A807F84DA8558146736CA9C416CA8	229BE3F71FEDD2FF8C9DAF6725FA33DD413151942D10DDBB5AE30808AA209F43
C:\Windows\SysWOW64\Jpegka32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3377E9DE4A68A8C88B7934371E7B6FCC	B8195DC7F8ADD6616D4B63786C1CEAA40593598C	44E3AFD208F676FFA6746B288B4D93661D55B4F7F82021653DA6E90227EE24A6
C:\Windows\SysWOW64\Kbelgk32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8DA29ACC323B8FDA7466506A74A88CE2	0B910B833A865AA8D923FFC444400DFE8B6764A4	9776DDF3775CF74753266247580A6B6FB24AD9682C4834FA98BBE34D5A7AA5E1
C:\Windows\SysWOW64\Kegnnphk.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B001CD1D8B944653D13962490626A544	82E05CA5F49266B23C027CB95828D35E094ECA47	60CA8E5E7DAB6979F7C7C78442BD193EC3CC2B3D265B5532CC5BDF7EE7455957
C:\Windows\SysWOW64\Khhkcgiq.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4ABA09B1D61F2F6A8F6EE264D7CF0AF7	F3A492CB7CEDAF2043841C492CDE1D7718A15916	1F28B1249F069B4AC1B49AAAAEB21EDF223DD66CAFF1EE971D6A9A320B3C0FC1
C:\Windows\SysWOW64\Kkgclgep.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3BF815BC7A4EF539C25284384F57B104	70F500EC19F3EC708F4B02A16114E649BC71FEFC	EAFAFDFA10B2F402EBF6ED1EBE49DD36FCC3A015F2F76BD2F3A384747FA8A667
C:\Windows\SysWOW64\Kkipaf32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E411C0D85828BE876ADBBE5F36DE67A9	99A986B3CDD48BBE2033E17628B2BAD62565A8C1	ED94DBC8B888240BB529477E7B966D800456650493404C86A16E7A0C4D0E3872
C:\Windows\SysWOW64\Kkpgnmhh.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	94976E5C7B0F75FEFE247DE3E7C04C80	8386DA3D7D7633CBED8F73304571AB3EACB020F1	B712EA89536F34874ED988BB896D529F1103101BE9AE88D6DF201C23745712D1
C:\Windows\SysWOW64\Kkqaeb32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B4A951E2933916F505DF90740CDB12CE	3C9ABE44D2EE589B9BF2D6AFEF65EFDB0B60A791	54597278B9729A3B57271394D470914ED0014709CFDDAC2B3C3C6D94B4846DC1
C:\Windows\SysWOW64\Knccbbff.exe	PE32 executable (GUI) Intel 80386, for MS Windows	95A1E08557C9409B202379BFA46A32FD	02999F133FF4C37B0237FEE385ABFB1C4F2E1B1A	F0A6719A2284109D4F874A5DC7820874B2A8CB1C20BB1E26FB52ABB3920FC390
C:\Windows\SysWOW64\Loplncai.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F52EDDE5B35A8A27FA3D691183E2953B	94416DCF7EDD4CE6621EEEA23A38283A8B65F608	1EE3201A0441A7D8E8809622F025F5B7A8F37D59F3440A10632ABE1728DE6A3C
C:\Windows\SysWOW64\Makogp32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	34B08B2C00E502602F8FB07C62D2CE3A	5E8336E4B9D07728D88AA7122337D4A0C13EAF63	75E6051272D4E41DF34DB136C92B7B3C1AB1D131C7B53F09E3ABB81897DCA844
C:\Windows\SysWOW64\Mbhkpnhb.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D6E72D73103928A200613FBC2BD9111C	9A089D05805D3056E22659D5082589BA7025C753	B86F8EE667117736DF1B3F057DC15F658213D49282377CED73090EE130341EA1
C:\Windows\SysWOW64\Mddjfiih.exe	PE32 executable (GUI) Intel 80386, for MS Windows	65A1D3054A66017AF432390EA625E50E	56BED67CA1C418BDB492A4FFA110965281B18FE7	A9DD9374F50F39939A9E559ABE20969C545A838E5D0D9140D5120FE0F5634069
C:\Windows\SysWOW64\Mdicai32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1DB703D13A41CD9D7EBDCB67FDF2E592	23F33BB8CE286797A35FAC7CB9E89C8C5C6F3BCA	14C073FD89B4D97B2465E5B8E580D0DC0FDE8B6EDC6F74D6A9011B2407DFFD32
C:\Windows\SysWOW64\Mfhplllf.exe	PE32 executable (GUI) Intel 80386, for MS Windows	26B8ED89C80AF1A6DE69F0266F739588	26774F528E3B76BD88B3769EFFC061F962531EC4	AECC957786CA631C5CDCAF908BDF776256C4FB5D2EBC1D49367385ABCECC25D3
C:\Windows\SysWOW64\Mhmiah32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	55B8378BCCA0573AA52EDC94AEFDC704	92E012F0C0278BB9DB1AAD369C8319E2CCBF1A42	7D6E66BE9B015628509C51A66B23897160E117FF0F80835329E7552F4881AC52
C:\Windows\SysWOW64\Mkqoicnb.exe	PE32 executable (GUI) Intel 80386, for MS Windows	94197F299C36AF08D341335E816F8EEE	5516C8E035B20D16E02A427A00125FEA69EFE1DD	240DBA3E8CF90DB225BD91CA2111F722670B4305FBA02682A572E7708A8BE7CA
C:\Windows\SysWOW64\Mlfimg32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	CF46B9CAC7594BA5D4DC54F0FCD338E3	DAA644E0A644BC25738A1551D569FC6ACE1DE136	7520916C5994D4821C7DD98DDBA8B05F610A0A8D80970E4861A6C9B02F458E0B
C:\Windows\SysWOW64\Nfacbjdk.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DE19B82272034D866A40A521582F9F76	340F2D7B404B1E4F2619F8A065ABEC533EFCC7C9	C0EBA998569E0EBDB918A4B0E7CDA42659A08869B7269F6160D5B87963D9D73A
C:\Windows\SysWOW64\Nfmigk32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	94CD6FB51F256E10BA1195DD99C4B4EC	2840ABE0073F58173140289FC7627F2FFE3B769D	5A9EEEAE5C11B3A2603B64528173A83EDB7FB6E406BD56FAD2EB75121B21B7A7
C:\Windows\SysWOW64\Nikaqk32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8710324E8987B8EAD8A37D0B7B94570A	669F7CAF999C4A689D001D5A00A7572F1C976533	7A05EC81711DA552BE1A7F9802FDCC26CBE028E0B02F8FD9674178621CB5EB01
C:\Windows\SysWOW64\Ninbhfea.exe	PE32 executable (GUI) Intel 80386, for MS Windows	30CE048D570516E488325C85BB935BA6	7A253C4ADC51F0405862A9DF6BD6602821364CDA	2BCEE498823F9A37F319CACDB0FF7A6BEF939EA3E0D52EF485CD749D9ACB2562
C:\Windows\SysWOW64\Njcedipl.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C1308400BDA8B778B7E7A704DD0B4B9A	2BE8AE364DC265D0E29CE10B206970C34BD4D500	22F8080DEE15CFCFFC967146B585768FC94BAF8836C8C1039BFD729731F0E42A
C:\Windows\SysWOW64\Nmdeneap.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E5F6FAFD14FBB658217EE86CBE587A03	6A74D366E59840707ADF0EF242DCA1A11F4D06C3	10F3BADB6F83B6568F8A46704727154BB7908680F5DB975CD775FDDB2C68F374
C:\Windows\SysWOW64\Nncepn32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B674905DB37AC8FC43BA727B14D25D04	6CFD7DC4E689523C3DCDF2343693C40BFD122CC8	D31D7A58A92C4F2B2D1FA333E9E8AE9AC79B5C30986B9E1145BBB1A6699DF53D
C:\Windows\SysWOW64\Nnglhjfe.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1F494AAC11A2666FB71E91B26BF27DB0	0E4604D9602D64E8D7AFA3E2C0713DF5AFA281BA	8DC7E71F7373CDFB6330953E479A1534357DB1BC7945385959B044D2F29B1BB3
C:\Windows\SysWOW64\Nnhnkmek.exe	PE32 executable (GUI) Intel 80386, for MS Windows	325DEE8246A1AC0453E99E6F61321E68	D5753AACD358847D8EEDF1286317E4561D7571E1	077335670711D64402B3381FE31ECFA4D0821E3DC37F63498BA0FE41D8D6D2FE
C:\Windows\SysWOW64\Npjgkp32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	CBAD3F92CD27CB09639A094829D9F6FD	A4CA88F72CEE4F76EBB02DADC46CBABCB3D0389A	F1F03392242CE65AC60DD0309DDEB52C036C890DE8CEBC4A73A19A8B3445589F
C:\Windows\SysWOW64\Obmmbkej.exe	PE32 executable (GUI) Intel 80386, for MS Windows	302772D04A5F8FE5E8DEE3E6C1384AD8	0D59185C7A1818CE0FEFD553027DAFAAFCEBB8E5	823C7F5B42CC9C40837E14EAB0422D1F73B1CF7082F6C6FC82A9DC628D6F9B76
C:\Windows\SysWOW64\Ofmbni32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1CA23E4E5E376FE53DC0FFC575ED2A21	14834CC51DB67FF09C45332C1F126245A8F3C238	B18D07B51206AF27C5088C310482611584C190D8F1E7E0F0C40DA009110A8555
C:\Windows\SysWOW64\Oiehie32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2CD525CE457D0EA53E6C18D181A357B6	091B6A966027B0964C87BE483DB944DCA5DB9831	4C0CD339B631330659BEA5882E06D69B32168ADA500E46E1FDF78D1518CE6625
C:\Windows\SysWOW64\Oiibddkd.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DE0F366BEE1506A5273585B95E5E39B6	4BB81E83CAA888C9D53BEEF05DE7E5EFF4D9E920	5112CB904ACDC5349E816A9AE0E0254053C79191606B44AAE7247EC545B196EA
C:\Windows\SysWOW64\Okilnjci.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0680096452EFB14C23931E77B0AB6B4E	1B7E9D1EFC5BD818A7F33325E57A3680A1338A9E	F4EFCE24A052607313B40E2EC2B9360CF21F9EB95BCC8A1105DF50E972549CD4
C:\Windows\SysWOW64\Oleakplj.exe	PE32 executable (GUI) Intel 80386, for MS Windows	30AA748393753182B4B82014D6258B66	8C49F839C08F302C2994B3DBCE3BBEA3D01D70AD	0F8DC01E846E0300991A322A3BAD91271639332D1579CAEDAD9155EF1A921F56
C:\Windows\SysWOW64\Onigbk32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	292610221CEC72FC244EC8366198C3AD	C3D9135899EDA9D4C3398565BA2A4AAD36F5BA83	433BD86A314DB7E430E6D6CA832F46862626676897F0E62796C5014E3A6E9D08
C:\Windows\SysWOW64\Opldpphi.exe	PE32 executable (GUI) Intel 80386, for MS Windows	97E52ADC870D05ED94348D4A85F8D03D	C309117BCC3F81A06EE5F9D09E1BF37317C31336	55F08D7EC72801DEE81992B7DDA0FB2807B1C35BA515932734E4A43C419497E9
C:\Windows\SysWOW64\Pilbmhcp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1ECB61EC2B2AEAA9025AEE3F30998AEA	EF195E7AD0E8184164559BF31EFDC1E0589503E8	300C4800144E0B7B2D51DB4353373A92200C92259F057F54436EFA3081822D80
C:\Windows\SysWOW64\Plaafobm.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F40C40806DE4163DCD9146C24FFD4D20	B6F0614684EE14F7FEC31343F044AE702EFF80A0	AA22B3D7E9EEDB466883134517EB84AE1AEB9DDFCD6437B8EBFE1313456FDB0F
C:\Windows\SysWOW64\Plfjan32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	28E65FB9EECFE082F19DDE2816479231	1D1AFDBF60A4B3DE57C3A566D3F409387D5C60E5	27CD5B38801E5F3B75CA41E37EC5FC98E7D76BD55BD38DDD04A28B2A7CBA1DA5
C:\Windows\SysWOW64\Pnkdgk32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EEBAD6B46760D753660D4493EEB5AEA2	967A99350B35A95222401A5AAA60F9597480302F	9EB99B1D99244C175351A32141E4EC77AFD6AEB1E467E3210C3AAE7C686165AC
C:\Windows\SysWOW64\Pppjem32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	29917E0D482786D92EE5166DEE48872F	53558E557C4EA44C74DA3EDEEB6A7703FDA8F67B	43CF6D582F59597DACA9646D94522A99C5C53E2E729AE49A1432CC499520D486
C:\Windows\SysWOW64\Qanqbgdb.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	22D4C9AD657195C9D8E99A2CF80944E5	719C378307FBA083C54A5A635F2EF235EDA90C64	F2BAA398E9FD3271018F90D013146C845D7DBC3302D64EC9872E80737FD2A665

Windows Analysis Report
f6t9qa761D.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report f6t9qa761D.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
f6t9qa761D.exe

Malware Threat Intel
Provided by