Edit tour

Windows Analysis Report
f6t9qa761D.exe

Overview

General Information

Sample name:	f6t9qa761D.exe renamed because original name is a hash value
Original sample name:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Analysis ID:	1515137
MD5:	f66386730c3497ca644c7e77d5d793b0
SHA1:	5da659a3e0af11bc6202517eacca18f4014b705d
SHA256:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
Tags:	exeuser-Chainskilabs
Infos:

Detection

Berbew, Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Berbew

Yara detected Njrat

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

f6t9qa761D.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\f6t9qa761D.exe" MD5: F66386730C3497CA644C7E77D5D793B0)

Jagibbdg.exe (PID: 7860 cmdline: C:\Windows\system32\Jagibbdg.exe MD5: 124816B52FD54D9C0496C6E8F1AB2A5A)

Jokilfca.exe (PID: 7876 cmdline: C:\Windows\system32\Jokilfca.exe MD5: AC30565C2AC0057322C2E64F3CC0FBF6)

Kegnnphk.exe (PID: 7892 cmdline: C:\Windows\system32\Kegnnphk.exe MD5: B001CD1D8B944653D13962490626A544)

Knccbbff.exe (PID: 7908 cmdline: C:\Windows\system32\Knccbbff.exe MD5: 95A1E08557C9409B202379BFA46A32FD)

Kkgclgep.exe (PID: 7924 cmdline: C:\Windows\system32\Kkgclgep.exe MD5: 3BF815BC7A4EF539C25284384F57B104)

Kkipaf32.exe (PID: 7956 cmdline: C:\Windows\system32\Kkipaf32.exe MD5: E411C0D85828BE876ADBBE5F36DE67A9)

Loplncai.exe (PID: 7984 cmdline: C:\Windows\system32\Loplncai.exe MD5: F52EDDE5B35A8A27FA3D691183E2953B)

Mlfimg32.exe (PID: 8000 cmdline: C:\Windows\system32\Mlfimg32.exe MD5: CF46B9CAC7594BA5D4DC54F0FCD338E3)

Mhmiah32.exe (PID: 8016 cmdline: C:\Windows\system32\Mhmiah32.exe MD5: 55B8378BCCA0573AA52EDC94AEFDC704)

Mddjfiih.exe (PID: 8032 cmdline: C:\Windows\system32\Mddjfiih.exe MD5: 65A1D3054A66017AF432390EA625E50E)

Mbhkpnhb.exe (PID: 8048 cmdline: C:\Windows\system32\Mbhkpnhb.exe MD5: D6E72D73103928A200613FBC2BD9111C)

Mkqoicnb.exe (PID: 8064 cmdline: C:\Windows\system32\Mkqoicnb.exe MD5: 94197F299C36AF08D341335E816F8EEE)

Mdicai32.exe (PID: 8080 cmdline: C:\Windows\system32\Mdicai32.exe MD5: 1DB703D13A41CD9D7EBDCB67FDF2E592)

Mfhplllf.exe (PID: 8100 cmdline: C:\Windows\system32\Mfhplllf.exe MD5: 26B8ED89C80AF1A6DE69F0266F739588)

Nncepn32.exe (PID: 8116 cmdline: C:\Windows\system32\Nncepn32.exe MD5: B674905DB37AC8FC43BA727B14D25D04)

Nmdeneap.exe (PID: 8132 cmdline: C:\Windows\system32\Nmdeneap.exe MD5: E5F6FAFD14FBB658217EE86CBE587A03)

Nfmigk32.exe (PID: 8148 cmdline: C:\Windows\system32\Nfmigk32.exe MD5: 94CD6FB51F256E10BA1195DD99C4B4EC)

Nnhnkmek.exe (PID: 8168 cmdline: C:\Windows\system32\Nnhnkmek.exe MD5: 325DEE8246A1AC0453E99E6F61321E68)

Ninbhfea.exe (PID: 8184 cmdline: C:\Windows\system32\Ninbhfea.exe MD5: 30CE048D570516E488325C85BB935BA6)

Nfacbjdk.exe (PID: 7192 cmdline: C:\Windows\system32\Nfacbjdk.exe MD5: DE19B82272034D866A40A521582F9F76)

Npjgkp32.exe (PID: 7244 cmdline: C:\Windows\system32\Npjgkp32.exe MD5: CBAD3F92CD27CB09639A094829D9F6FD)

Opldpphi.exe (PID: 7288 cmdline: C:\Windows\system32\Opldpphi.exe MD5: 97E52ADC870D05ED94348D4A85F8D03D)

Oiehie32.exe (PID: 7340 cmdline: C:\Windows\system32\Oiehie32.exe MD5: 2CD525CE457D0EA53E6C18D181A357B6)

Obmmbkej.exe (PID: 7384 cmdline: C:\Windows\system32\Obmmbkej.exe MD5: 302772D04A5F8FE5E8DEE3E6C1384AD8)

Oleakplj.exe (PID: 7432 cmdline: C:\Windows\system32\Oleakplj.exe MD5: 30AA748393753182B4B82014D6258B66)

Oiibddkd.exe (PID: 7476 cmdline: C:\Windows\system32\Oiibddkd.exe MD5: DE0F366BEE1506A5273585B95E5E39B6)

Ofmbni32.exe (PID: 7528 cmdline: C:\Windows\system32\Ofmbni32.exe MD5: 1CA23E4E5E376FE53DC0FFC575ED2A21)

Onigbk32.exe (PID: 7580 cmdline: C:\Windows\system32\Onigbk32.exe MD5: 292610221CEC72FC244EC8366198C3AD)

Pnkdgk32.exe (PID: 7628 cmdline: C:\Windows\system32\Pnkdgk32.exe MD5: EEBAD6B46760D753660D4493EEB5AEA2)

Plaafobm.exe (PID: 1668 cmdline: C:\Windows\system32\Plaafobm.exe MD5: F40C40806DE4163DCD9146C24FFD4D20)

Plfjan32.exe (PID: 1672 cmdline: C:\Windows\system32\Plfjan32.exe MD5: 28E65FB9EECFE082F19DDE2816479231)

Abgiogom.exe (PID: 2540 cmdline: C:\Windows\system32\Abgiogom.exe MD5: 5F5E82E399D074D5225D8C32138803C3)

Afeaee32.exe (PID: 6736 cmdline: C:\Windows\system32\Afeaee32.exe MD5: 8B41C95F611B1B1A8C86BA70B3CC6443)

Apmfnklc.exe (PID: 5756 cmdline: C:\Windows\system32\Apmfnklc.exe MD5: E102B1D30DCF3D950377A7F84B677C5F)

Aiejgqbd.exe (PID: 5820 cmdline: C:\Windows\system32\Aiejgqbd.exe MD5: 59BBE828FE074191C2D6054D26585CF3)

Abnopf32.exe (PID: 932 cmdline: C:\Windows\system32\Abnopf32.exe MD5: 193316C91B9FBD583AB86986F09C4F6C)

Boepdgoi.exe (PID: 5860 cmdline: C:\Windows\system32\Boepdgoi.exe MD5: B4F5C63C242907828BEEA09266B776DB)

Bmfpbogh.exe (PID: 6704 cmdline: C:\Windows\system32\Bmfpbogh.exe MD5: B5A7058FBD260D483CAC8A6FCE0251AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Berbew		No Attribution	https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/	https://malpedia.caad.fkie.fraunhofer.de/details/win.berbew

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
f6t9qa761D.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
f6t9qa761D.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
f6t9qa761D.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
f6t9qa761D.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
f6t9qa761D.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\Pnkdgk32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Pnkdgk32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Pnkdgk32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Pnkdgk32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Pnkdgk32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Aiejgqbd.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Aiejgqbd.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Aiejgqbd.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Aiejgqbd.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Aiejgqbd.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Knccbbff.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Knccbbff.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Knccbbff.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Knccbbff.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Knccbbff.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mhmiah32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mhmiah32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nncepn32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mhmiah32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nncepn32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mhmiah32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nncepn32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nncepn32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nncepn32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mhmiah32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Onigbk32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Onigbk32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Onigbk32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Onigbk32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Onigbk32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mdicai32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mdicai32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mdicai32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mdicai32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mdicai32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Npjgkp32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Npjgkp32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Npjgkp32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Npjgkp32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Npjgkp32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Opldpphi.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkgclgep.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkgclgep.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Kkgclgep.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nnhnkmek.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kegnnphk.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kegnnphk.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Afeaee32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nfacbjdk.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkipaf32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkipaf32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Plaafobm.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Oleakplj.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mlfimg32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Oiibddkd.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Plfjan32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mfhplllf.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Bmfpbogh.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Bmfpbogh.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Obmmbkej.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Abnopf32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Beadgadc.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jagibbdg.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mbhkpnhb.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jagibbdg.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Abgiogom.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Opldpphi.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mkqoicnb.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kkgclgep.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nnhnkmek.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nfmigk32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Kegnnphk.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nfmigk32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nfacbjdk.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nfacbjdk.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nfacbjdk.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nfacbjdk.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Oleakplj.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mlfimg32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Oiibddkd.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Plfjan32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mfhplllf.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Loplncai.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Bmfpbogh.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Obmmbkej.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Abnopf32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Beadgadc.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ofmbni32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Mbhkpnhb.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ofmbni32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Abgiogom.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Opldpphi.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Opldpphi.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Opldpphi.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nnhnkmek.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Afeaee32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Kegnnphk.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Kegnnphk.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Kkipaf32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Kkipaf32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Kkipaf32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Oleakplj.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Oleakplj.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Oleakplj.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Oiibddkd.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Oiibddkd.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Oiibddkd.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Plfjan32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Plfjan32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Plfjan32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mfhplllf.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Loplncai.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Bmfpbogh.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Bmfpbogh.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Obmmbkej.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Obmmbkej.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Obmmbkej.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Abnopf32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Abnopf32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Abnopf32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Beadgadc.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Beadgadc.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Beadgadc.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mbhkpnhb.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mbhkpnhb.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mbhkpnhb.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ofmbni32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ofmbni32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ofmbni32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Abgiogom.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mkqoicnb.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mkqoicnb.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mkqoicnb.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mkqoicnb.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Kkgclgep.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nnhnkmek.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nnhnkmek.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Apmfnklc.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Apmfnklc.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jokilfca.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Jokilfca.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Jokilfca.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jokilfca.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jokilfca.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Nmdeneap.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nmdeneap.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Nmdeneap.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nmdeneap.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nmdeneap.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Oiehie32.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Oiehie32.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Oiehie32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Oiehie32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Oiehie32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Afeaee32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Afeaee32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Afeaee32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Boepdgoi.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Boepdgoi.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mddjfiih.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Nfmigk32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Nfmigk32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Nfmigk32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mlfimg32.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mlfimg32.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mlfimg32.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mfhplllf.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mfhplllf.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Abgiogom.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Abgiogom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Apmfnklc.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Apmfnklc.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Apmfnklc.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Ninbhfea.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\Ninbhfea.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Ninbhfea.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Ninbhfea.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Ninbhfea.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Mddjfiih.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Mddjfiih.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Mddjfiih.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Mddjfiih.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Plaafobm.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1212b:$a1: get_Registry 0x509f2:$a1: get_Registry 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x13327:$a3: Download ERROR 0x51bee:$a3: Download ERROR 0x131ed:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51ab4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1317f:$a5: netsh firewall delete allowedprogram " 0x51a46:$a5: netsh firewall delete allowedprogram "
C:\Windows\SysWOW64\Plaafobm.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Plaafobm.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Plaafobm.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Boepdgoi.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Boepdgoi.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Boepdgoi.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Jagibbdg.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Jagibbdg.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Jagibbdg.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
C:\Windows\SysWOW64\Loplncai.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1325b:$a1: netsh firewall add allowedprogram 0x51b22:$a1: netsh firewall add allowedprogram 0x1322b:$a2: SEE_MASK_NOZONECHECKS 0x51af2:$a2: SEE_MASK_NOZONECHECKS 0x134d5:$b1: [TAP] 0x51d9c:$b1: [TAP] 0x131ed:$c3: cmd.exe /c ping 0x51ab4:$c3: cmd.exe /c ping
C:\Windows\SysWOW64\Loplncai.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1322b:$reg: SEE_MASK_NOZONECHECKS 0x51af2:$reg: SEE_MASK_NOZONECHECKS 0x13303:$msg: Execute ERROR 0x1335f:$msg: Execute ERROR 0x51bca:$msg: Execute ERROR 0x51c26:$msg: Execute ERROR 0x131ed:$ping: cmd.exe /c ping 0 -n 2 & del 0x51ab4:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\SysWOW64\Loplncai.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x1317f:$s1: netsh firewall delete allowedprogram 0x51a46:$s1: netsh firewall delete allowedprogram 0x1325b:$s2: netsh firewall add allowedprogram 0x51b22:$s2: netsh firewall add allowedprogram 0x131ed:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x51ab4:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x13303:$s4: Execute ERROR 0x1335f:$s4: Execute ERROR 0x51bca:$s4: Execute ERROR 0x51c26:$s4: Execute ERROR 0x13327:$s5: Download ERROR 0x51bee:$s5: Download ERROR 0x1348b:$s6: [kl] 0x51d52:$s6: [kl]
Click to see the 190 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10e12:$a1: get_Registry 0x11f12:$a2: SEE_MASK_NOZONECHECKS 0x1200e:$a3: Download ERROR 0x11ed4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11e66:$a5: netsh firewall delete allowedprogram "
0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11f42:$a1: netsh firewall add allowedprogram 0x11f12:$a2: SEE_MASK_NOZONECHECKS 0x121bc:$b1: [TAP] 0x11ed4:$c3: cmd.exe /c ping
0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11f12:$reg: SEE_MASK_NOZONECHECKS 0x11fea:$msg: Execute ERROR 0x12046:$msg: Execute ERROR 0x11ed4:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1174a:$a1: get_Registry 0x1284a:$a2: SEE_MASK_NOZONECHECKS 0x12946:$a3: Download ERROR 0x1280c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1279e:$a5: netsh firewall delete allowedprogram "
0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1287a:$a1: netsh firewall add allowedprogram 0x1284a:$a2: SEE_MASK_NOZONECHECKS 0x12af4:$b1: [TAP] 0x1280c:$c3: cmd.exe /c ping
0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1284a:$reg: SEE_MASK_NOZONECHECKS 0x12922:$msg: Execute ERROR 0x1297e:$msg: Execute ERROR 0x1280c:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1155a:$a1: get_Registry 0x1265a:$a2: SEE_MASK_NOZONECHECKS 0x12756:$a3: Download ERROR 0x1261c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x125ae:$a5: netsh firewall delete allowedprogram "
00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1268a:$a1: netsh firewall add allowedprogram 0x1265a:$a2: SEE_MASK_NOZONECHECKS 0x12904:$b1: [TAP] 0x1261c:$c3: cmd.exe /c ping
00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1265a:$reg: SEE_MASK_NOZONECHECKS 0x12732:$msg: Execute ERROR 0x1278e:$msg: Execute ERROR 0x1261c:$ping: cmd.exe /c ping 0 -n 2 & del
00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11bfb:$a1: get_Registry 0x504c2:$a1: get_Registry 0x12cfb:$a2: SEE_MASK_NOZONECHECKS 0x515c2:$a2: SEE_MASK_NOZONECHECKS 0x12df7:$a3: Download ERROR 0x516be:$a3: Download ERROR 0x12cbd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51584:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12c4f:$a5: netsh firewall delete allowedprogram " 0x51516:$a5: netsh firewall delete allowedprogram "
0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12d2b:$a1: netsh firewall add allowedprogram 0x515f2:$a1: netsh firewall add allowedprogram 0x12cfb:$a2: SEE_MASK_NOZONECHECKS 0x515c2:$a2: SEE_MASK_NOZONECHECKS 0x12fa5:$b1: [TAP] 0x5186c:$b1: [TAP] 0x12cbd:$c3: cmd.exe /c ping 0x51584:$c3: cmd.exe /c ping
0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12cfb:$reg: SEE_MASK_NOZONECHECKS 0x515c2:$reg: SEE_MASK_NOZONECHECKS 0x12dd3:$msg: Execute ERROR 0x12e2f:$msg: Execute ERROR 0x5169a:$msg: Execute ERROR 0x516f6:$msg: Execute ERROR 0x12cbd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51584:$ping: cmd.exe /c ping 0 -n 2 & del
0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117fb:$a1: get_Registry 0x500c2:$a1: get_Registry 0x128fb:$a2: SEE_MASK_NOZONECHECKS 0x511c2:$a2: SEE_MASK_NOZONECHECKS 0x129f7:$a3: Download ERROR 0x512be:$a3: Download ERROR 0x128bd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51184:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1284f:$a5: netsh firewall delete allowedprogram " 0x51116:$a5: netsh firewall delete allowedprogram "
00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1292b:$a1: netsh firewall add allowedprogram 0x511f2:$a1: netsh firewall add allowedprogram 0x128fb:$a2: SEE_MASK_NOZONECHECKS 0x511c2:$a2: SEE_MASK_NOZONECHECKS 0x12ba5:$b1: [TAP] 0x5146c:$b1: [TAP] 0x128bd:$c3: cmd.exe /c ping 0x51184:$c3: cmd.exe /c ping
00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128fb:$reg: SEE_MASK_NOZONECHECKS 0x511c2:$reg: SEE_MASK_NOZONECHECKS 0x129d3:$msg: Execute ERROR 0x12a2f:$msg: Execute ERROR 0x5129a:$msg: Execute ERROR 0x512f6:$msg: Execute ERROR 0x128bd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51184:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11b93:$a1: get_Registry 0x5045a:$a1: get_Registry 0x12c93:$a2: SEE_MASK_NOZONECHECKS 0x5155a:$a2: SEE_MASK_NOZONECHECKS 0x12d8f:$a3: Download ERROR 0x51656:$a3: Download ERROR 0x12c55:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5151c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12be7:$a5: netsh firewall delete allowedprogram " 0x514ae:$a5: netsh firewall delete allowedprogram "
00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12cc3:$a1: netsh firewall add allowedprogram 0x5158a:$a1: netsh firewall add allowedprogram 0x12c93:$a2: SEE_MASK_NOZONECHECKS 0x5155a:$a2: SEE_MASK_NOZONECHECKS 0x12f3d:$b1: [TAP] 0x51804:$b1: [TAP] 0x12c55:$c3: cmd.exe /c ping 0x5151c:$c3: cmd.exe /c ping
00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12c93:$reg: SEE_MASK_NOZONECHECKS 0x5155a:$reg: SEE_MASK_NOZONECHECKS 0x12d6b:$msg: Execute ERROR 0x12dc7:$msg: Execute ERROR 0x51632:$msg: Execute ERROR 0x5168e:$msg: Execute ERROR 0x12c55:$ping: cmd.exe /c ping 0 -n 2 & del 0x5151c:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x114c2:$a1: get_Registry 0x125c2:$a2: SEE_MASK_NOZONECHECKS 0x126be:$a3: Download ERROR 0x12584:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12516:$a5: netsh firewall delete allowedprogram "
00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x125f2:$a1: netsh firewall add allowedprogram 0x125c2:$a2: SEE_MASK_NOZONECHECKS 0x1286c:$b1: [TAP] 0x12584:$c3: cmd.exe /c ping
00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x125c2:$reg: SEE_MASK_NOZONECHECKS 0x1269a:$msg: Execute ERROR 0x126f6:$msg: Execute ERROR 0x12584:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118c2:$a1: get_Registry 0x129c2:$a2: SEE_MASK_NOZONECHECKS 0x12abe:$a3: Download ERROR 0x12984:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12916:$a5: netsh firewall delete allowedprogram "
0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129f2:$a1: netsh firewall add allowedprogram 0x129c2:$a2: SEE_MASK_NOZONECHECKS 0x12c6c:$b1: [TAP] 0x12984:$c3: cmd.exe /c ping
0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129c2:$reg: SEE_MASK_NOZONECHECKS 0x12a9a:$msg: Execute ERROR 0x12af6:$msg: Execute ERROR 0x12984:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108a2:$a1: get_Registry 0x119a2:$a2: SEE_MASK_NOZONECHECKS 0x11a9e:$a3: Download ERROR 0x11964:$a4: cmd.exe /c ping 0 -n 2 & del " 0x118f6:$a5: netsh firewall delete allowedprogram "
00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x119d2:$a1: netsh firewall add allowedprogram 0x119a2:$a2: SEE_MASK_NOZONECHECKS 0x11c4c:$b1: [TAP] 0x11964:$c3: cmd.exe /c ping
00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119a2:$reg: SEE_MASK_NOZONECHECKS 0x11a7a:$msg: Execute ERROR 0x11ad6:$msg: Execute ERROR 0x11964:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108aa:$a1: get_Registry 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11aa6:$a3: Download ERROR 0x1196c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x118fe:$a5: netsh firewall delete allowedprogram "
00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x119da:$a1: netsh firewall add allowedprogram 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11c54:$b1: [TAP] 0x1196c:$c3: cmd.exe /c ping
00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119aa:$reg: SEE_MASK_NOZONECHECKS 0x11a82:$msg: Execute ERROR 0x11ade:$msg: Execute ERROR 0x1196c:$ping: cmd.exe /c ping 0 -n 2 & del
0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1135a:$a1: get_Registry 0x1245a:$a2: SEE_MASK_NOZONECHECKS 0x12556:$a3: Download ERROR 0x1241c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x123ae:$a5: netsh firewall delete allowedprogram "
00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1248a:$a1: netsh firewall add allowedprogram 0x1245a:$a2: SEE_MASK_NOZONECHECKS 0x12704:$b1: [TAP] 0x1241c:$c3: cmd.exe /c ping
00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1245a:$reg: SEE_MASK_NOZONECHECKS 0x12532:$msg: Execute ERROR 0x1258e:$msg: Execute ERROR 0x1241c:$ping: cmd.exe /c ping 0 -n 2 & del
00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11e3b:$a1: get_Registry 0x50702:$a1: get_Registry 0x12f3b:$a2: SEE_MASK_NOZONECHECKS 0x51802:$a2: SEE_MASK_NOZONECHECKS 0x13037:$a3: Download ERROR 0x518fe:$a3: Download ERROR 0x12efd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x517c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12e8f:$a5: netsh firewall delete allowedprogram " 0x51756:$a5: netsh firewall delete allowedprogram "
0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12f6b:$a1: netsh firewall add allowedprogram 0x51832:$a1: netsh firewall add allowedprogram 0x12f3b:$a2: SEE_MASK_NOZONECHECKS 0x51802:$a2: SEE_MASK_NOZONECHECKS 0x131e5:$b1: [TAP] 0x51aac:$b1: [TAP] 0x12efd:$c3: cmd.exe /c ping 0x517c4:$c3: cmd.exe /c ping
0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12f3b:$reg: SEE_MASK_NOZONECHECKS 0x51802:$reg: SEE_MASK_NOZONECHECKS 0x13013:$msg: Execute ERROR 0x1306f:$msg: Execute ERROR 0x518da:$msg: Execute ERROR 0x51936:$msg: Execute ERROR 0x12efd:$ping: cmd.exe /c ping 0 -n 2 & del 0x517c4:$ping: cmd.exe /c ping 0 -n 2 & del
0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1135a:$a1: get_Registry 0x1245a:$a2: SEE_MASK_NOZONECHECKS 0x12556:$a3: Download ERROR 0x1241c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x123ae:$a5: netsh firewall delete allowedprogram "
0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1248a:$a1: netsh firewall add allowedprogram 0x1245a:$a2: SEE_MASK_NOZONECHECKS 0x12704:$b1: [TAP] 0x1241c:$c3: cmd.exe /c ping
0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1245a:$reg: SEE_MASK_NOZONECHECKS 0x12532:$msg: Execute ERROR 0x1258e:$msg: Execute ERROR 0x1241c:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11452:$a1: get_Registry 0x12552:$a2: SEE_MASK_NOZONECHECKS 0x1264e:$a3: Download ERROR 0x12514:$a4: cmd.exe /c ping 0 -n 2 & del " 0x124a6:$a5: netsh firewall delete allowedprogram "
0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12582:$a1: netsh firewall add allowedprogram 0x12552:$a2: SEE_MASK_NOZONECHECKS 0x127fc:$b1: [TAP] 0x12514:$c3: cmd.exe /c ping
0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12552:$reg: SEE_MASK_NOZONECHECKS 0x1262a:$msg: Execute ERROR 0x12686:$msg: Execute ERROR 0x12514:$ping: cmd.exe /c ping 0 -n 2 & del
00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173b:$a1: get_Registry 0x50002:$a1: get_Registry 0x1283b:$a2: SEE_MASK_NOZONECHECKS 0x51102:$a2: SEE_MASK_NOZONECHECKS 0x12937:$a3: Download ERROR 0x511fe:$a3: Download ERROR 0x127fd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x510c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278f:$a5: netsh firewall delete allowedprogram " 0x51056:$a5: netsh firewall delete allowedprogram "
00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286b:$a1: netsh firewall add allowedprogram 0x51132:$a1: netsh firewall add allowedprogram 0x1283b:$a2: SEE_MASK_NOZONECHECKS 0x51102:$a2: SEE_MASK_NOZONECHECKS 0x12ae5:$b1: [TAP] 0x513ac:$b1: [TAP] 0x127fd:$c3: cmd.exe /c ping 0x510c4:$c3: cmd.exe /c ping
00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283b:$reg: SEE_MASK_NOZONECHECKS 0x51102:$reg: SEE_MASK_NOZONECHECKS 0x12913:$msg: Execute ERROR 0x1296f:$msg: Execute ERROR 0x511da:$msg: Execute ERROR 0x51236:$msg: Execute ERROR 0x127fd:$ping: cmd.exe /c ping 0 -n 2 & del 0x510c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118a2:$a1: get_Registry 0x129a2:$a2: SEE_MASK_NOZONECHECKS 0x12a9e:$a3: Download ERROR 0x12964:$a4: cmd.exe /c ping 0 -n 2 & del " 0x128f6:$a5: netsh firewall delete allowedprogram "
00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129d2:$a1: netsh firewall add allowedprogram 0x129a2:$a2: SEE_MASK_NOZONECHECKS 0x12c4c:$b1: [TAP] 0x12964:$c3: cmd.exe /c ping
00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129a2:$reg: SEE_MASK_NOZONECHECKS 0x12a7a:$msg: Execute ERROR 0x12ad6:$msg: Execute ERROR 0x12964:$ping: cmd.exe /c ping 0 -n 2 & del
0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1180b:$a1: get_Registry 0x500d2:$a1: get_Registry 0x1290b:$a2: SEE_MASK_NOZONECHECKS 0x511d2:$a2: SEE_MASK_NOZONECHECKS 0x12a07:$a3: Download ERROR 0x512ce:$a3: Download ERROR 0x128cd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51194:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1285f:$a5: netsh firewall delete allowedprogram " 0x51126:$a5: netsh firewall delete allowedprogram "
0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1293b:$a1: netsh firewall add allowedprogram 0x51202:$a1: netsh firewall add allowedprogram 0x1290b:$a2: SEE_MASK_NOZONECHECKS 0x511d2:$a2: SEE_MASK_NOZONECHECKS 0x12bb5:$b1: [TAP] 0x5147c:$b1: [TAP] 0x128cd:$c3: cmd.exe /c ping 0x51194:$c3: cmd.exe /c ping
0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1290b:$reg: SEE_MASK_NOZONECHECKS 0x511d2:$reg: SEE_MASK_NOZONECHECKS 0x129e3:$msg: Execute ERROR 0x12a3f:$msg: Execute ERROR 0x512aa:$msg: Execute ERROR 0x51306:$msg: Execute ERROR 0x128cd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51194:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1148a:$a1: get_Registry 0x1258a:$a2: SEE_MASK_NOZONECHECKS 0x12686:$a3: Download ERROR 0x1254c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x124de:$a5: netsh firewall delete allowedprogram "
00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11b33:$a1: get_Registry 0x503fa:$a1: get_Registry 0x12c33:$a2: SEE_MASK_NOZONECHECKS 0x514fa:$a2: SEE_MASK_NOZONECHECKS 0x12d2f:$a3: Download ERROR 0x515f6:$a3: Download ERROR 0x12bf5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x514bc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12b87:$a5: netsh firewall delete allowedprogram " 0x5144e:$a5: netsh firewall delete allowedprogram "
00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x125ba:$a1: netsh firewall add allowedprogram 0x1258a:$a2: SEE_MASK_NOZONECHECKS 0x12834:$b1: [TAP] 0x1254c:$c3: cmd.exe /c ping
00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12c63:$a1: netsh firewall add allowedprogram 0x5152a:$a1: netsh firewall add allowedprogram 0x12c33:$a2: SEE_MASK_NOZONECHECKS 0x514fa:$a2: SEE_MASK_NOZONECHECKS 0x12edd:$b1: [TAP] 0x517a4:$b1: [TAP] 0x12bf5:$c3: cmd.exe /c ping 0x514bc:$c3: cmd.exe /c ping
00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12c33:$reg: SEE_MASK_NOZONECHECKS 0x514fa:$reg: SEE_MASK_NOZONECHECKS 0x12d0b:$msg: Execute ERROR 0x12d67:$msg: Execute ERROR 0x515d2:$msg: Execute ERROR 0x5162e:$msg: Execute ERROR 0x12bf5:$ping: cmd.exe /c ping 0 -n 2 & del 0x514bc:$ping: cmd.exe /c ping 0 -n 2 & del
00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1258a:$reg: SEE_MASK_NOZONECHECKS 0x12662:$msg: Execute ERROR 0x126be:$msg: Execute ERROR 0x1254c:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x118c2:$a1: get_Registry 0x129c2:$a2: SEE_MASK_NOZONECHECKS 0x12abe:$a3: Download ERROR 0x12984:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12916:$a5: netsh firewall delete allowedprogram "
0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x129f2:$a1: netsh firewall add allowedprogram 0x129c2:$a2: SEE_MASK_NOZONECHECKS 0x12c6c:$b1: [TAP] 0x12984:$c3: cmd.exe /c ping
0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x129c2:$reg: SEE_MASK_NOZONECHECKS 0x12a9a:$msg: Execute ERROR 0x12af6:$msg: Execute ERROR 0x12984:$ping: cmd.exe /c ping 0 -n 2 & del
00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117f3:$a1: get_Registry 0x500ba:$a1: get_Registry 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x129ef:$a3: Download ERROR 0x512b6:$a3: Download ERROR 0x128b5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5117c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12847:$a5: netsh firewall delete allowedprogram " 0x5110e:$a5: netsh firewall delete allowedprogram "
00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12923:$a1: netsh firewall add allowedprogram 0x511ea:$a1: netsh firewall add allowedprogram 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x12b9d:$b1: [TAP] 0x51464:$b1: [TAP] 0x128b5:$c3: cmd.exe /c ping 0x5117c:$c3: cmd.exe /c ping
00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128f3:$reg: SEE_MASK_NOZONECHECKS 0x511ba:$reg: SEE_MASK_NOZONECHECKS 0x129cb:$msg: Execute ERROR 0x12a27:$msg: Execute ERROR 0x51292:$msg: Execute ERROR 0x512ee:$msg: Execute ERROR 0x128b5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5117c:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11462:$a1: get_Registry 0x12562:$a2: SEE_MASK_NOZONECHECKS 0x1265e:$a3: Download ERROR 0x12524:$a4: cmd.exe /c ping 0 -n 2 & del " 0x124b6:$a5: netsh firewall delete allowedprogram "
00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12592:$a1: netsh firewall add allowedprogram 0x12562:$a2: SEE_MASK_NOZONECHECKS 0x1280c:$b1: [TAP] 0x12524:$c3: cmd.exe /c ping
00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12562:$reg: SEE_MASK_NOZONECHECKS 0x1263a:$msg: Execute ERROR 0x12696:$msg: Execute ERROR 0x12524:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117eb:$a1: get_Registry 0x500b2:$a1: get_Registry 0x128eb:$a2: SEE_MASK_NOZONECHECKS 0x511b2:$a2: SEE_MASK_NOZONECHECKS 0x129e7:$a3: Download ERROR 0x512ae:$a3: Download ERROR 0x128ad:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51174:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1283f:$a5: netsh firewall delete allowedprogram " 0x51106:$a5: netsh firewall delete allowedprogram "
00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1291b:$a1: netsh firewall add allowedprogram 0x511e2:$a1: netsh firewall add allowedprogram 0x128eb:$a2: SEE_MASK_NOZONECHECKS 0x511b2:$a2: SEE_MASK_NOZONECHECKS 0x12b95:$b1: [TAP] 0x5145c:$b1: [TAP] 0x128ad:$c3: cmd.exe /c ping 0x51174:$c3: cmd.exe /c ping
00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128eb:$reg: SEE_MASK_NOZONECHECKS 0x511b2:$reg: SEE_MASK_NOZONECHECKS 0x129c3:$msg: Execute ERROR 0x12a1f:$msg: Execute ERROR 0x5128a:$msg: Execute ERROR 0x512e6:$msg: Execute ERROR 0x128ad:$ping: cmd.exe /c ping 0 -n 2 & del 0x51174:$ping: cmd.exe /c ping 0 -n 2 & del
00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108aa:$a1: get_Registry 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11aa6:$a3: Download ERROR 0x1196c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x118fe:$a5: netsh firewall delete allowedprogram "
00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x119da:$a1: netsh firewall add allowedprogram 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11c54:$b1: [TAP] 0x1196c:$c3: cmd.exe /c ping
00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119aa:$reg: SEE_MASK_NOZONECHECKS 0x11a82:$msg: Execute ERROR 0x11ade:$msg: Execute ERROR 0x1196c:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108b2:$a1: get_Registry 0x119b2:$a2: SEE_MASK_NOZONECHECKS 0x11aae:$a3: Download ERROR 0x11974:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11906:$a5: netsh firewall delete allowedprogram "
00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x119e2:$a1: netsh firewall add allowedprogram 0x119b2:$a2: SEE_MASK_NOZONECHECKS 0x11c5c:$b1: [TAP] 0x11974:$c3: cmd.exe /c ping
00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119b2:$reg: SEE_MASK_NOZONECHECKS 0x11a8a:$msg: Execute ERROR 0x11ae6:$msg: Execute ERROR 0x11974:$ping: cmd.exe /c ping 0 -n 2 & del
00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1167b:$a1: get_Registry 0x4ff42:$a1: get_Registry 0x1277b:$a2: SEE_MASK_NOZONECHECKS 0x51042:$a2: SEE_MASK_NOZONECHECKS 0x12877:$a3: Download ERROR 0x5113e:$a3: Download ERROR 0x1273d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51004:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126cf:$a5: netsh firewall delete allowedprogram " 0x50f96:$a5: netsh firewall delete allowedprogram "
00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127ab:$a1: netsh firewall add allowedprogram 0x51072:$a1: netsh firewall add allowedprogram 0x1277b:$a2: SEE_MASK_NOZONECHECKS 0x51042:$a2: SEE_MASK_NOZONECHECKS 0x12a25:$b1: [TAP] 0x512ec:$b1: [TAP] 0x1273d:$c3: cmd.exe /c ping 0x51004:$c3: cmd.exe /c ping
00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1277b:$reg: SEE_MASK_NOZONECHECKS 0x51042:$reg: SEE_MASK_NOZONECHECKS 0x12853:$msg: Execute ERROR 0x128af:$msg: Execute ERROR 0x5111a:$msg: Execute ERROR 0x51176:$msg: Execute ERROR 0x1273d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51004:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11693:$a1: get_Registry 0x4ff5a:$a1: get_Registry 0x12793:$a2: SEE_MASK_NOZONECHECKS 0x5105a:$a2: SEE_MASK_NOZONECHECKS 0x1288f:$a3: Download ERROR 0x51156:$a3: Download ERROR 0x12755:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5101c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126e7:$a5: netsh firewall delete allowedprogram " 0x50fae:$a5: netsh firewall delete allowedprogram "
0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127c3:$a1: netsh firewall add allowedprogram 0x5108a:$a1: netsh firewall add allowedprogram 0x12793:$a2: SEE_MASK_NOZONECHECKS 0x5105a:$a2: SEE_MASK_NOZONECHECKS 0x12a3d:$b1: [TAP] 0x51304:$b1: [TAP] 0x12755:$c3: cmd.exe /c ping 0x5101c:$c3: cmd.exe /c ping
0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12793:$reg: SEE_MASK_NOZONECHECKS 0x5105a:$reg: SEE_MASK_NOZONECHECKS 0x1286b:$msg: Execute ERROR 0x128c7:$msg: Execute ERROR 0x51132:$msg: Execute ERROR 0x5118e:$msg: Execute ERROR 0x12755:$ping: cmd.exe /c ping 0 -n 2 & del 0x5101c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11693:$a1: get_Registry 0x4ff5a:$a1: get_Registry 0x12793:$a2: SEE_MASK_NOZONECHECKS 0x5105a:$a2: SEE_MASK_NOZONECHECKS 0x1288f:$a3: Download ERROR 0x51156:$a3: Download ERROR 0x12755:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5101c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126e7:$a5: netsh firewall delete allowedprogram " 0x50fae:$a5: netsh firewall delete allowedprogram "
0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127c3:$a1: netsh firewall add allowedprogram 0x5108a:$a1: netsh firewall add allowedprogram 0x12793:$a2: SEE_MASK_NOZONECHECKS 0x5105a:$a2: SEE_MASK_NOZONECHECKS 0x12a3d:$b1: [TAP] 0x51304:$b1: [TAP] 0x12755:$c3: cmd.exe /c ping 0x5101c:$c3: cmd.exe /c ping
0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12793:$reg: SEE_MASK_NOZONECHECKS 0x5105a:$reg: SEE_MASK_NOZONECHECKS 0x1286b:$msg: Execute ERROR 0x128c7:$msg: Execute ERROR 0x51132:$msg: Execute ERROR 0x5118e:$msg: Execute ERROR 0x12755:$ping: cmd.exe /c ping 0 -n 2 & del 0x5101c:$ping: cmd.exe /c ping 0 -n 2 & del
00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a8b:$a1: get_Registry 0x50352:$a1: get_Registry 0x12b8b:$a2: SEE_MASK_NOZONECHECKS 0x51452:$a2: SEE_MASK_NOZONECHECKS 0x12c87:$a3: Download ERROR 0x5154e:$a3: Download ERROR 0x12b4d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51414:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12adf:$a5: netsh firewall delete allowedprogram " 0x513a6:$a5: netsh firewall delete allowedprogram "
00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12bbb:$a1: netsh firewall add allowedprogram 0x51482:$a1: netsh firewall add allowedprogram 0x12b8b:$a2: SEE_MASK_NOZONECHECKS 0x51452:$a2: SEE_MASK_NOZONECHECKS 0x12e35:$b1: [TAP] 0x516fc:$b1: [TAP] 0x12b4d:$c3: cmd.exe /c ping 0x51414:$c3: cmd.exe /c ping
00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b8b:$reg: SEE_MASK_NOZONECHECKS 0x51452:$reg: SEE_MASK_NOZONECHECKS 0x12c63:$msg: Execute ERROR 0x12cbf:$msg: Execute ERROR 0x5152a:$msg: Execute ERROR 0x51586:$msg: Execute ERROR 0x12b4d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51414:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11bf3:$a1: get_Registry 0x504ba:$a1: get_Registry 0x12cf3:$a2: SEE_MASK_NOZONECHECKS 0x515ba:$a2: SEE_MASK_NOZONECHECKS 0x12def:$a3: Download ERROR 0x516b6:$a3: Download ERROR 0x12cb5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5157c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12c47:$a5: netsh firewall delete allowedprogram " 0x5150e:$a5: netsh firewall delete allowedprogram "
00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12d23:$a1: netsh firewall add allowedprogram 0x515ea:$a1: netsh firewall add allowedprogram 0x12cf3:$a2: SEE_MASK_NOZONECHECKS 0x515ba:$a2: SEE_MASK_NOZONECHECKS 0x12f9d:$b1: [TAP] 0x51864:$b1: [TAP] 0x12cb5:$c3: cmd.exe /c ping 0x5157c:$c3: cmd.exe /c ping
00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12cf3:$reg: SEE_MASK_NOZONECHECKS 0x515ba:$reg: SEE_MASK_NOZONECHECKS 0x12dcb:$msg: Execute ERROR 0x12e27:$msg: Execute ERROR 0x51692:$msg: Execute ERROR 0x516ee:$msg: Execute ERROR 0x12cb5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5157c:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115aa:$a1: get_Registry 0x126aa:$a2: SEE_MASK_NOZONECHECKS 0x127a6:$a3: Download ERROR 0x1266c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x125fe:$a5: netsh firewall delete allowedprogram "
00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x126da:$a1: netsh firewall add allowedprogram 0x126aa:$a2: SEE_MASK_NOZONECHECKS 0x12954:$b1: [TAP] 0x1266c:$c3: cmd.exe /c ping
00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x126aa:$reg: SEE_MASK_NOZONECHECKS 0x12782:$msg: Execute ERROR 0x127de:$msg: Execute ERROR 0x1266c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117eb:$a1: get_Registry 0x500b2:$a1: get_Registry 0x128eb:$a2: SEE_MASK_NOZONECHECKS 0x511b2:$a2: SEE_MASK_NOZONECHECKS 0x129e7:$a3: Download ERROR 0x512ae:$a3: Download ERROR 0x128ad:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51174:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1283f:$a5: netsh firewall delete allowedprogram " 0x51106:$a5: netsh firewall delete allowedprogram "
00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1291b:$a1: netsh firewall add allowedprogram 0x511e2:$a1: netsh firewall add allowedprogram 0x128eb:$a2: SEE_MASK_NOZONECHECKS 0x511b2:$a2: SEE_MASK_NOZONECHECKS 0x12b95:$b1: [TAP] 0x5145c:$b1: [TAP] 0x128ad:$c3: cmd.exe /c ping 0x51174:$c3: cmd.exe /c ping
00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128eb:$reg: SEE_MASK_NOZONECHECKS 0x511b2:$reg: SEE_MASK_NOZONECHECKS 0x129c3:$msg: Execute ERROR 0x12a1f:$msg: Execute ERROR 0x5128a:$msg: Execute ERROR 0x512e6:$msg: Execute ERROR 0x128ad:$ping: cmd.exe /c ping 0 -n 2 & del 0x51174:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117f3:$a1: get_Registry 0x500ba:$a1: get_Registry 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x129ef:$a3: Download ERROR 0x512b6:$a3: Download ERROR 0x128b5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5117c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12847:$a5: netsh firewall delete allowedprogram " 0x5110e:$a5: netsh firewall delete allowedprogram "
00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12923:$a1: netsh firewall add allowedprogram 0x511ea:$a1: netsh firewall add allowedprogram 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x12b9d:$b1: [TAP] 0x51464:$b1: [TAP] 0x128b5:$c3: cmd.exe /c ping 0x5117c:$c3: cmd.exe /c ping
00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128f3:$reg: SEE_MASK_NOZONECHECKS 0x511ba:$reg: SEE_MASK_NOZONECHECKS 0x129cb:$msg: Execute ERROR 0x12a27:$msg: Execute ERROR 0x51292:$msg: Execute ERROR 0x512ee:$msg: Execute ERROR 0x128b5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5117c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x10ef2:$a1: get_Registry 0x11ff2:$a2: SEE_MASK_NOZONECHECKS 0x120ee:$a3: Download ERROR 0x11fb4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x11f46:$a5: netsh firewall delete allowedprogram "
0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12022:$a1: netsh firewall add allowedprogram 0x11ff2:$a2: SEE_MASK_NOZONECHECKS 0x1229c:$b1: [TAP] 0x11fb4:$c3: cmd.exe /c ping
0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11ff2:$reg: SEE_MASK_NOZONECHECKS 0x120ca:$msg: Execute ERROR 0x12126:$msg: Execute ERROR 0x11fb4:$ping: cmd.exe /c ping 0 -n 2 & del
0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1173a:$a1: get_Registry 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12936:$a3: Download ERROR 0x127fc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1278e:$a5: netsh firewall delete allowedprogram "
00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1286a:$a1: netsh firewall add allowedprogram 0x1283a:$a2: SEE_MASK_NOZONECHECKS 0x12ae4:$b1: [TAP] 0x127fc:$c3: cmd.exe /c ping
00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1283a:$reg: SEE_MASK_NOZONECHECKS 0x12912:$msg: Execute ERROR 0x1296e:$msg: Execute ERROR 0x127fc:$ping: cmd.exe /c ping 0 -n 2 & del
00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1174a:$a1: get_Registry 0x1284a:$a2: SEE_MASK_NOZONECHECKS 0x12946:$a3: Download ERROR 0x1280c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1279e:$a5: netsh firewall delete allowedprogram "
0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1287a:$a1: netsh firewall add allowedprogram 0x1284a:$a2: SEE_MASK_NOZONECHECKS 0x12af4:$b1: [TAP] 0x1280c:$c3: cmd.exe /c ping
0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1284a:$reg: SEE_MASK_NOZONECHECKS 0x12922:$msg: Execute ERROR 0x1297e:$msg: Execute ERROR 0x1280c:$ping: cmd.exe /c ping 0 -n 2 & del
00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11bbb:$a1: get_Registry 0x50482:$a1: get_Registry 0x12cbb:$a2: SEE_MASK_NOZONECHECKS 0x51582:$a2: SEE_MASK_NOZONECHECKS 0x12db7:$a3: Download ERROR 0x5167e:$a3: Download ERROR 0x12c7d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51544:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12c0f:$a5: netsh firewall delete allowedprogram " 0x514d6:$a5: netsh firewall delete allowedprogram "
00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12ceb:$a1: netsh firewall add allowedprogram 0x515b2:$a1: netsh firewall add allowedprogram 0x12cbb:$a2: SEE_MASK_NOZONECHECKS 0x51582:$a2: SEE_MASK_NOZONECHECKS 0x12f65:$b1: [TAP] 0x5182c:$b1: [TAP] 0x12c7d:$c3: cmd.exe /c ping 0x51544:$c3: cmd.exe /c ping
00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12cbb:$reg: SEE_MASK_NOZONECHECKS 0x51582:$reg: SEE_MASK_NOZONECHECKS 0x12d93:$msg: Execute ERROR 0x12def:$msg: Execute ERROR 0x5165a:$msg: Execute ERROR 0x516b6:$msg: Execute ERROR 0x12c7d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51544:$ping: cmd.exe /c ping 0 -n 2 & del
00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a8b:$a1: get_Registry 0x50352:$a1: get_Registry 0x12b8b:$a2: SEE_MASK_NOZONECHECKS 0x51452:$a2: SEE_MASK_NOZONECHECKS 0x12c87:$a3: Download ERROR 0x5154e:$a3: Download ERROR 0x12b4d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51414:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12adf:$a5: netsh firewall delete allowedprogram " 0x513a6:$a5: netsh firewall delete allowedprogram "
0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12bbb:$a1: netsh firewall add allowedprogram 0x51482:$a1: netsh firewall add allowedprogram 0x12b8b:$a2: SEE_MASK_NOZONECHECKS 0x51452:$a2: SEE_MASK_NOZONECHECKS 0x12e35:$b1: [TAP] 0x516fc:$b1: [TAP] 0x12b4d:$c3: cmd.exe /c ping 0x51414:$c3: cmd.exe /c ping
0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b8b:$reg: SEE_MASK_NOZONECHECKS 0x51452:$reg: SEE_MASK_NOZONECHECKS 0x12c63:$msg: Execute ERROR 0x12cbf:$msg: Execute ERROR 0x5152a:$msg: Execute ERROR 0x51586:$msg: Execute ERROR 0x12b4d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51414:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1100a:$a1: get_Registry 0x1210a:$a2: SEE_MASK_NOZONECHECKS 0x12206:$a3: Download ERROR 0x120cc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1205e:$a5: netsh firewall delete allowedprogram "
00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1213a:$a1: netsh firewall add allowedprogram 0x1210a:$a2: SEE_MASK_NOZONECHECKS 0x123b4:$b1: [TAP] 0x120cc:$c3: cmd.exe /c ping
00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1210a:$reg: SEE_MASK_NOZONECHECKS 0x121e2:$msg: Execute ERROR 0x1223e:$msg: Execute ERROR 0x120cc:$ping: cmd.exe /c ping 0 -n 2 & del
00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11402:$a1: get_Registry 0x12502:$a2: SEE_MASK_NOZONECHECKS 0x125fe:$a3: Download ERROR 0x124c4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12456:$a5: netsh firewall delete allowedprogram "
00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12532:$a1: netsh firewall add allowedprogram 0x12502:$a2: SEE_MASK_NOZONECHECKS 0x127ac:$b1: [TAP] 0x124c4:$c3: cmd.exe /c ping
00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12502:$reg: SEE_MASK_NOZONECHECKS 0x125da:$msg: Execute ERROR 0x12636:$msg: Execute ERROR 0x124c4:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11683:$a1: get_Registry 0x4ff4a:$a1: get_Registry 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x1287f:$a3: Download ERROR 0x51146:$a3: Download ERROR 0x12745:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5100c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x126d7:$a5: netsh firewall delete allowedprogram " 0x50f9e:$a5: netsh firewall delete allowedprogram "
00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x127b3:$a1: netsh firewall add allowedprogram 0x5107a:$a1: netsh firewall add allowedprogram 0x12783:$a2: SEE_MASK_NOZONECHECKS 0x5104a:$a2: SEE_MASK_NOZONECHECKS 0x12a2d:$b1: [TAP] 0x512f4:$b1: [TAP] 0x12745:$c3: cmd.exe /c ping 0x5100c:$c3: cmd.exe /c ping
00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12783:$reg: SEE_MASK_NOZONECHECKS 0x5104a:$reg: SEE_MASK_NOZONECHECKS 0x1285b:$msg: Execute ERROR 0x128b7:$msg: Execute ERROR 0x51122:$msg: Execute ERROR 0x5117e:$msg: Execute ERROR 0x12745:$ping: cmd.exe /c ping 0 -n 2 & del 0x5100c:$ping: cmd.exe /c ping 0 -n 2 & del
00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x117f3:$a1: get_Registry 0x500ba:$a1: get_Registry 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x129ef:$a3: Download ERROR 0x512b6:$a3: Download ERROR 0x128b5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5117c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12847:$a5: netsh firewall delete allowedprogram " 0x5110e:$a5: netsh firewall delete allowedprogram "
00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12923:$a1: netsh firewall add allowedprogram 0x511ea:$a1: netsh firewall add allowedprogram 0x128f3:$a2: SEE_MASK_NOZONECHECKS 0x511ba:$a2: SEE_MASK_NOZONECHECKS 0x12b9d:$b1: [TAP] 0x51464:$b1: [TAP] 0x128b5:$c3: cmd.exe /c ping 0x5117c:$c3: cmd.exe /c ping
00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128f3:$reg: SEE_MASK_NOZONECHECKS 0x511ba:$reg: SEE_MASK_NOZONECHECKS 0x129cb:$msg: Execute ERROR 0x12a27:$msg: Execute ERROR 0x51292:$msg: Execute ERROR 0x512ee:$msg: Execute ERROR 0x128b5:$ping: cmd.exe /c ping 0 -n 2 & del 0x5117c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1180b:$a1: get_Registry 0x500d2:$a1: get_Registry 0x1290b:$a2: SEE_MASK_NOZONECHECKS 0x511d2:$a2: SEE_MASK_NOZONECHECKS 0x12a07:$a3: Download ERROR 0x512ce:$a3: Download ERROR 0x128cd:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51194:$a4: cmd.exe /c ping 0 -n 2 & del " 0x1285f:$a5: netsh firewall delete allowedprogram " 0x51126:$a5: netsh firewall delete allowedprogram "
0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1293b:$a1: netsh firewall add allowedprogram 0x51202:$a1: netsh firewall add allowedprogram 0x1290b:$a2: SEE_MASK_NOZONECHECKS 0x511d2:$a2: SEE_MASK_NOZONECHECKS 0x12bb5:$b1: [TAP] 0x5147c:$b1: [TAP] 0x128cd:$c3: cmd.exe /c ping 0x51194:$c3: cmd.exe /c ping
0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1290b:$reg: SEE_MASK_NOZONECHECKS 0x511d2:$reg: SEE_MASK_NOZONECHECKS 0x129e3:$msg: Execute ERROR 0x12a3f:$msg: Execute ERROR 0x512aa:$msg: Execute ERROR 0x51306:$msg: Execute ERROR 0x128cd:$ping: cmd.exe /c ping 0 -n 2 & del 0x51194:$ping: cmd.exe /c ping 0 -n 2 & del
00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11732:$a1: get_Registry 0x12832:$a2: SEE_MASK_NOZONECHECKS 0x1292e:$a3: Download ERROR 0x127f4:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12786:$a5: netsh firewall delete allowedprogram "
00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12862:$a1: netsh firewall add allowedprogram 0x12832:$a2: SEE_MASK_NOZONECHECKS 0x12adc:$b1: [TAP] 0x127f4:$c3: cmd.exe /c ping
00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12832:$reg: SEE_MASK_NOZONECHECKS 0x1290a:$msg: Execute ERROR 0x12966:$msg: Execute ERROR 0x127f4:$ping: cmd.exe /c ping 0 -n 2 & del
00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x108aa:$a1: get_Registry 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11aa6:$a3: Download ERROR 0x1196c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x118fe:$a5: netsh firewall delete allowedprogram "
00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x119da:$a1: netsh firewall add allowedprogram 0x119aa:$a2: SEE_MASK_NOZONECHECKS 0x11c54:$b1: [TAP] 0x1196c:$c3: cmd.exe /c ping
00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x119aa:$reg: SEE_MASK_NOZONECHECKS 0x11a82:$msg: Execute ERROR 0x11ade:$msg: Execute ERROR 0x1196c:$ping: cmd.exe /c ping 0 -n 2 & del
00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11543:$a1: get_Registry 0x4fe0a:$a1: get_Registry 0x12643:$a2: SEE_MASK_NOZONECHECKS 0x50f0a:$a2: SEE_MASK_NOZONECHECKS 0x1273f:$a3: Download ERROR 0x51006:$a3: Download ERROR 0x12605:$a4: cmd.exe /c ping 0 -n 2 & del " 0x50ecc:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12597:$a5: netsh firewall delete allowedprogram " 0x50e5e:$a5: netsh firewall delete allowedprogram "
0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12673:$a1: netsh firewall add allowedprogram 0x50f3a:$a1: netsh firewall add allowedprogram 0x12643:$a2: SEE_MASK_NOZONECHECKS 0x50f0a:$a2: SEE_MASK_NOZONECHECKS 0x128ed:$b1: [TAP] 0x511b4:$b1: [TAP] 0x12605:$c3: cmd.exe /c ping 0x50ecc:$c3: cmd.exe /c ping
0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12643:$reg: SEE_MASK_NOZONECHECKS 0x50f0a:$reg: SEE_MASK_NOZONECHECKS 0x1271b:$msg: Execute ERROR 0x12777:$msg: Execute ERROR 0x50fe2:$msg: Execute ERROR 0x5103e:$msg: Execute ERROR 0x12605:$ping: cmd.exe /c ping 0 -n 2 & del 0x50ecc:$ping: cmd.exe /c ping 0 -n 2 & del
00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11a23:$a1: get_Registry 0x502ea:$a1: get_Registry 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12c1f:$a3: Download ERROR 0x514e6:$a3: Download ERROR 0x12ae5:$a4: cmd.exe /c ping 0 -n 2 & del " 0x513ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12a77:$a5: netsh firewall delete allowedprogram " 0x5133e:$a5: netsh firewall delete allowedprogram "
00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12b53:$a1: netsh firewall add allowedprogram 0x5141a:$a1: netsh firewall add allowedprogram 0x12b23:$a2: SEE_MASK_NOZONECHECKS 0x513ea:$a2: SEE_MASK_NOZONECHECKS 0x12dcd:$b1: [TAP] 0x51694:$b1: [TAP] 0x12ae5:$c3: cmd.exe /c ping 0x513ac:$c3: cmd.exe /c ping
00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12b23:$reg: SEE_MASK_NOZONECHECKS 0x513ea:$reg: SEE_MASK_NOZONECHECKS 0x12bfb:$msg: Execute ERROR 0x12c57:$msg: Execute ERROR 0x514c2:$msg: Execute ERROR 0x5151e:$msg: Execute ERROR 0x12ae5:$ping: cmd.exe /c ping 0 -n 2 & del 0x513ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11b83:$a1: get_Registry 0x5044a:$a1: get_Registry 0x12c83:$a2: SEE_MASK_NOZONECHECKS 0x5154a:$a2: SEE_MASK_NOZONECHECKS 0x12d7f:$a3: Download ERROR 0x51646:$a3: Download ERROR 0x12c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x5150c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12bd7:$a5: netsh firewall delete allowedprogram " 0x5149e:$a5: netsh firewall delete allowedprogram "
0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12cb3:$a1: netsh firewall add allowedprogram 0x5157a:$a1: netsh firewall add allowedprogram 0x12c83:$a2: SEE_MASK_NOZONECHECKS 0x5154a:$a2: SEE_MASK_NOZONECHECKS 0x12f2d:$b1: [TAP] 0x517f4:$b1: [TAP] 0x12c45:$c3: cmd.exe /c ping 0x5150c:$c3: cmd.exe /c ping
0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12c83:$reg: SEE_MASK_NOZONECHECKS 0x5154a:$reg: SEE_MASK_NOZONECHECKS 0x12d5b:$msg: Execute ERROR 0x12db7:$msg: Execute ERROR 0x51622:$msg: Execute ERROR 0x5167e:$msg: Execute ERROR 0x12c45:$ping: cmd.exe /c ping 0 -n 2 & del 0x5150c:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11cdb:$a1: get_Registry 0x505a2:$a1: get_Registry 0x12ddb:$a2: SEE_MASK_NOZONECHECKS 0x516a2:$a2: SEE_MASK_NOZONECHECKS 0x12ed7:$a3: Download ERROR 0x5179e:$a3: Download ERROR 0x12d9d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51664:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12d2f:$a5: netsh firewall delete allowedprogram " 0x515f6:$a5: netsh firewall delete allowedprogram "
00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12e0b:$a1: netsh firewall add allowedprogram 0x516d2:$a1: netsh firewall add allowedprogram 0x12ddb:$a2: SEE_MASK_NOZONECHECKS 0x516a2:$a2: SEE_MASK_NOZONECHECKS 0x13085:$b1: [TAP] 0x5194c:$b1: [TAP] 0x12d9d:$c3: cmd.exe /c ping 0x51664:$c3: cmd.exe /c ping
00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12ddb:$reg: SEE_MASK_NOZONECHECKS 0x516a2:$reg: SEE_MASK_NOZONECHECKS 0x12eb3:$msg: Execute ERROR 0x12f0f:$msg: Execute ERROR 0x5177a:$msg: Execute ERROR 0x517d6:$msg: Execute ERROR 0x12d9d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51664:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x11c8b:$a1: get_Registry 0x50552:$a1: get_Registry 0x12d8b:$a2: SEE_MASK_NOZONECHECKS 0x51652:$a2: SEE_MASK_NOZONECHECKS 0x12e87:$a3: Download ERROR 0x5174e:$a3: Download ERROR 0x12d4d:$a4: cmd.exe /c ping 0 -n 2 & del " 0x51614:$a4: cmd.exe /c ping 0 -n 2 & del " 0x12cdf:$a5: netsh firewall delete allowedprogram " 0x515a6:$a5: netsh firewall delete allowedprogram "
00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x12dbb:$a1: netsh firewall add allowedprogram 0x51682:$a1: netsh firewall add allowedprogram 0x12d8b:$a2: SEE_MASK_NOZONECHECKS 0x51652:$a2: SEE_MASK_NOZONECHECKS 0x13035:$b1: [TAP] 0x518fc:$b1: [TAP] 0x12d4d:$c3: cmd.exe /c ping 0x51614:$c3: cmd.exe /c ping
00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x12d8b:$reg: SEE_MASK_NOZONECHECKS 0x51652:$reg: SEE_MASK_NOZONECHECKS 0x12e63:$msg: Execute ERROR 0x12ebf:$msg: Execute ERROR 0x5172a:$msg: Execute ERROR 0x51786:$msg: Execute ERROR 0x12d4d:$ping: cmd.exe /c ping 0 -n 2 & del 0x51614:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: f6t9qa761D.exe PID: 7816	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: f6t9qa761D.exe PID: 7816	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jagibbdg.exe PID: 7860	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jagibbdg.exe PID: 7860	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Jokilfca.exe PID: 7876	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Jokilfca.exe PID: 7876	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Kegnnphk.exe PID: 7892	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Kegnnphk.exe PID: 7892	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Knccbbff.exe PID: 7908	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Knccbbff.exe PID: 7908	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Kkgclgep.exe PID: 7924	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Kkgclgep.exe PID: 7924	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Kkipaf32.exe PID: 7956	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Kkipaf32.exe PID: 7956	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Loplncai.exe PID: 7984	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Loplncai.exe PID: 7984	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mlfimg32.exe PID: 8000	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mlfimg32.exe PID: 8000	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mhmiah32.exe PID: 8016	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mhmiah32.exe PID: 8016	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mddjfiih.exe PID: 8032	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mddjfiih.exe PID: 8032	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mbhkpnhb.exe PID: 8048	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mbhkpnhb.exe PID: 8048	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mkqoicnb.exe PID: 8064	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mkqoicnb.exe PID: 8064	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mdicai32.exe PID: 8080	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mdicai32.exe PID: 8080	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Mfhplllf.exe PID: 8100	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Mfhplllf.exe PID: 8100	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nncepn32.exe PID: 8116	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nncepn32.exe PID: 8116	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nmdeneap.exe PID: 8132	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nmdeneap.exe PID: 8132	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nfmigk32.exe PID: 8148	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nfmigk32.exe PID: 8148	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nnhnkmek.exe PID: 8168	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nnhnkmek.exe PID: 8168	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ninbhfea.exe PID: 8184	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ninbhfea.exe PID: 8184	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Nfacbjdk.exe PID: 7192	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Nfacbjdk.exe PID: 7192	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Npjgkp32.exe PID: 7244	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Npjgkp32.exe PID: 7244	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Opldpphi.exe PID: 7288	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Opldpphi.exe PID: 7288	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Oiehie32.exe PID: 7340	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Oiehie32.exe PID: 7340	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Obmmbkej.exe PID: 7384	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Obmmbkej.exe PID: 7384	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Oleakplj.exe PID: 7432	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Oleakplj.exe PID: 7432	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Oiibddkd.exe PID: 7476	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Oiibddkd.exe PID: 7476	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Ofmbni32.exe PID: 7528	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Ofmbni32.exe PID: 7528	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Onigbk32.exe PID: 7580	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Onigbk32.exe PID: 7580	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Pnkdgk32.exe PID: 7628	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Pnkdgk32.exe PID: 7628	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Plaafobm.exe PID: 1668	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Plaafobm.exe PID: 1668	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Plfjan32.exe PID: 1672	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Plfjan32.exe PID: 1672	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Abgiogom.exe PID: 2540	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Abgiogom.exe PID: 2540	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Afeaee32.exe PID: 6736	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Afeaee32.exe PID: 6736	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Apmfnklc.exe PID: 5756	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Apmfnklc.exe PID: 5756	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Aiejgqbd.exe PID: 5820	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Aiejgqbd.exe PID: 5820	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Abnopf32.exe PID: 932	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Abnopf32.exe PID: 932	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Boepdgoi.exe PID: 5860	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Boepdgoi.exe PID: 5860	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Bmfpbogh.exe PID: 6704	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
Process Memory Space: Bmfpbogh.exe PID: 6704	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 384 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.3.Mfhplllf.exe.4ea6cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.3.Mfhplllf.exe.4ea6cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
15.3.Mfhplllf.exe.4ea6cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
15.3.Mfhplllf.exe.4ea6cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
15.3.Mfhplllf.exe.4ea6cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
15.3.Mfhplllf.exe.4ea6cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
13.3.Mkqoicnb.exe.78a1dc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.3.Mkqoicnb.exe.78a1dc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
13.3.Mkqoicnb.exe.78a1dc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
13.3.Mkqoicnb.exe.78a1dc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
13.3.Mkqoicnb.exe.78a1dc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
13.3.Mkqoicnb.exe.78a1dc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
6.3.Kkgclgep.exe.4fa5d4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
6.3.Kkgclgep.exe.4fa5d4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
6.3.Kkgclgep.exe.4fa5d4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
6.3.Kkgclgep.exe.4fa5d4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
6.3.Kkgclgep.exe.4fa5d4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
6.3.Kkgclgep.exe.4fa5d4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
2.2.Jagibbdg.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
5.3.Knccbbff.exe.57956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.3.Knccbbff.exe.57956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
5.3.Knccbbff.exe.57956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
5.3.Knccbbff.exe.57956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
5.3.Knccbbff.exe.57956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
5.3.Knccbbff.exe.57956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
5.2.Knccbbff.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
30.2.Pnkdgk32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
18.2.Nfmigk32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
27.3.Oiibddkd.exe.84a1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
27.3.Oiibddkd.exe.84a1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
39.3.Bmfpbogh.exe.7a956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
27.3.Oiibddkd.exe.84a1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
39.3.Bmfpbogh.exe.7a956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
27.3.Oiibddkd.exe.84a1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
39.3.Bmfpbogh.exe.7a956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
27.3.Oiibddkd.exe.84a1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
39.3.Bmfpbogh.exe.7a956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
27.3.Oiibddkd.exe.84a1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
39.3.Bmfpbogh.exe.7a956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
39.3.Bmfpbogh.exe.7a956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
27.2.Oiibddkd.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
32.3.Plfjan32.exe.67956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
32.3.Plfjan32.exe.67956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
32.3.Plfjan32.exe.67956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
32.3.Plfjan32.exe.67956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
32.3.Plfjan32.exe.67956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
37.3.Abnopf32.exe.689284.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
37.3.Abnopf32.exe.689284.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
37.3.Abnopf32.exe.689284.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
37.3.Abnopf32.exe.689284.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
37.3.Abnopf32.exe.689284.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
37.3.Abnopf32.exe.689284.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
17.2.Nmdeneap.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
14.2.Mdicai32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.2.Onigbk32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
2.3.Jagibbdg.exe.53a6dc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.3.Jagibbdg.exe.53a6dc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
2.3.Jagibbdg.exe.53a6dc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
2.3.Jagibbdg.exe.53a6dc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
2.3.Jagibbdg.exe.53a6dc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
2.3.Jagibbdg.exe.53a6dc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
3.3.Jokilfca.exe.77a334.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.3.Jokilfca.exe.77a334.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
3.3.Jokilfca.exe.77a334.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
3.3.Jokilfca.exe.77a334.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
3.3.Jokilfca.exe.77a334.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
3.3.Jokilfca.exe.77a334.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
27.3.Oiibddkd.exe.84a1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
27.3.Oiibddkd.exe.84a1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
27.3.Oiibddkd.exe.84a1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
27.3.Oiibddkd.exe.84a1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
27.3.Oiibddkd.exe.84a1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
8.2.Loplncai.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
8.3.Loplncai.exe.5a9704.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.3.Loplncai.exe.5a9704.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
8.3.Loplncai.exe.5a9704.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
8.3.Loplncai.exe.5a9704.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
8.3.Loplncai.exe.5a9704.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
8.3.Loplncai.exe.5a9704.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
16.2.Nncepn32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
4.3.Kegnnphk.exe.7c956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.3.Kegnnphk.exe.7c956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
4.3.Kegnnphk.exe.7c956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
4.3.Kegnnphk.exe.7c956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
4.3.Kegnnphk.exe.7c956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
4.3.Kegnnphk.exe.7c956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
30.3.Pnkdgk32.exe.73956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
30.3.Pnkdgk32.exe.73956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
30.3.Pnkdgk32.exe.73956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
30.3.Pnkdgk32.exe.73956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
30.3.Pnkdgk32.exe.73956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
30.3.Pnkdgk32.exe.73956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
4.2.Kegnnphk.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
16.2.Nncepn32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.3.Onigbk32.exe.6aa354.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
29.3.Onigbk32.exe.6aa354.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
29.3.Onigbk32.exe.6aa354.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
29.3.Onigbk32.exe.6aa354.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
29.3.Onigbk32.exe.6aa354.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
23.2.Opldpphi.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
24.3.Oiehie32.exe.74a33c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
24.3.Oiehie32.exe.74a33c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
24.3.Oiehie32.exe.74a33c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
24.3.Oiehie32.exe.74a33c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
24.3.Oiehie32.exe.74a33c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
38.3.Boepdgoi.exe.5c956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.Boepdgoi.exe.5c956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
38.3.Boepdgoi.exe.5c956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
38.3.Boepdgoi.exe.5c956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
38.3.Boepdgoi.exe.5c956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
22.2.Npjgkp32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.2.Mbhkpnhb.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
29.2.Onigbk32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
5.3.Knccbbff.exe.57956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.3.Knccbbff.exe.57956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
5.3.Knccbbff.exe.57956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
5.3.Knccbbff.exe.57956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
5.3.Knccbbff.exe.57956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
19.2.Nnhnkmek.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
10.2.Mhmiah32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
31.3.Plaafobm.exe.81956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
31.3.Plaafobm.exe.81956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
31.3.Plaafobm.exe.81956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
31.3.Plaafobm.exe.81956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
31.3.Plaafobm.exe.81956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
31.2.Plaafobm.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
1.3.f6t9qa761D.exe.4d973c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.3.f6t9qa761D.exe.4d973c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
1.3.f6t9qa761D.exe.4d973c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
1.3.f6t9qa761D.exe.4d973c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
1.3.f6t9qa761D.exe.4d973c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
21.2.Nfacbjdk.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
26.2.Oleakplj.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.2.Npjgkp32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
20.3.Ninbhfea.exe.7ea344.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.3.Ninbhfea.exe.7ea344.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
20.3.Ninbhfea.exe.7ea344.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
20.3.Ninbhfea.exe.7ea344.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
20.3.Ninbhfea.exe.7ea344.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
8.3.Loplncai.exe.5a9704.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.3.Loplncai.exe.5a9704.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
8.3.Loplncai.exe.5a9704.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
8.3.Loplncai.exe.5a9704.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
8.3.Loplncai.exe.5a9704.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
24.2.Oiehie32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
39.2.Bmfpbogh.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
11.3.Mddjfiih.exe.5ca984.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Mddjfiih.exe.5ca984.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
11.3.Mddjfiih.exe.5ca984.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
11.3.Mddjfiih.exe.5ca984.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
32.3.Plfjan32.exe.67956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Mddjfiih.exe.5ca984.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
11.3.Mddjfiih.exe.5ca984.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
32.3.Plfjan32.exe.67956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
32.3.Plfjan32.exe.67956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
32.3.Plfjan32.exe.67956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
32.3.Plfjan32.exe.67956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
32.3.Plfjan32.exe.67956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
14.3.Mdicai32.exe.7fa354.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
14.3.Mdicai32.exe.7fa354.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
14.3.Mdicai32.exe.7fa354.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
14.3.Mdicai32.exe.7fa354.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
14.3.Mdicai32.exe.7fa354.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
25.2.Obmmbkej.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
27.2.Oiibddkd.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
20.2.Ninbhfea.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
28.3.Ofmbni32.exe.48a5d4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
28.3.Ofmbni32.exe.48a5d4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
28.3.Ofmbni32.exe.48a5d4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
28.3.Ofmbni32.exe.48a5d4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
28.3.Ofmbni32.exe.48a5d4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
10.3.Mhmiah32.exe.5ea1dc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.3.Nfacbjdk.exe.6197d4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.3.Mhmiah32.exe.5ea1dc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
10.3.Mhmiah32.exe.5ea1dc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
21.3.Nfacbjdk.exe.6197d4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
10.3.Mhmiah32.exe.5ea1dc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
21.3.Nfacbjdk.exe.6197d4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
21.3.Nfacbjdk.exe.6197d4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
21.3.Nfacbjdk.exe.6197d4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
10.3.Mhmiah32.exe.5ea1dc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
10.3.Mhmiah32.exe.5ea1dc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
18.3.Nfmigk32.exe.63a1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.3.Nfmigk32.exe.63a1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
18.3.Nfmigk32.exe.63a1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
18.3.Nfmigk32.exe.63a1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
18.3.Nfmigk32.exe.63a1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
18.3.Nfmigk32.exe.63a1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
28.2.Ofmbni32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
15.2.Mfhplllf.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
13.2.Mkqoicnb.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
12.3.Mbhkpnhb.exe.4e9744.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.3.Mbhkpnhb.exe.4e9744.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
12.3.Mbhkpnhb.exe.4e9744.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
12.3.Mbhkpnhb.exe.4e9744.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
12.3.Mbhkpnhb.exe.4e9744.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
12.3.Mbhkpnhb.exe.4e9744.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
1.2.f6t9qa761D.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
20.2.Ninbhfea.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
2.2.Jagibbdg.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
25.2.Obmmbkej.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
6.2.Kkgclgep.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
9.2.Mlfimg32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
7.3.Kkipaf32.exe.61956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.3.Kkipaf32.exe.61956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
7.3.Kkipaf32.exe.61956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
7.3.Kkipaf32.exe.61956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
7.3.Kkipaf32.exe.61956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
7.3.Kkipaf32.exe.61956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
26.3.Oleakplj.exe.6b908c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
26.3.Oleakplj.exe.6b908c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
26.3.Oleakplj.exe.6b908c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
26.3.Oleakplj.exe.6b908c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
26.3.Oleakplj.exe.6b908c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
26.3.Oleakplj.exe.6b908c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
1.3.f6t9qa761D.exe.4d973c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.3.f6t9qa761D.exe.4d973c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
1.3.f6t9qa761D.exe.4d973c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
1.3.f6t9qa761D.exe.4d973c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
1.3.f6t9qa761D.exe.4d973c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
1.3.f6t9qa761D.exe.4d973c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
33.2.Abgiogom.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
34.2.Afeaee32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
36.3.Aiejgqbd.exe.6aa334.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.Aiejgqbd.exe.6aa334.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
36.3.Aiejgqbd.exe.6aa334.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
36.3.Aiejgqbd.exe.6aa334.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
36.3.Aiejgqbd.exe.6aa334.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
36.3.Aiejgqbd.exe.6aa334.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
35.3.Apmfnklc.exe.52967c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.Apmfnklc.exe.52967c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
35.3.Apmfnklc.exe.52967c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
35.3.Apmfnklc.exe.52967c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
35.3.Apmfnklc.exe.52967c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
35.3.Apmfnklc.exe.52967c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
32.2.Plfjan32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
8.2.Loplncai.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
26.3.Oleakplj.exe.6b908c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
26.3.Oleakplj.exe.6b908c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
26.3.Oleakplj.exe.6b908c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
26.3.Oleakplj.exe.6b908c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
26.3.Oleakplj.exe.6b908c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
37.2.Abnopf32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
15.2.Mfhplllf.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
33.3.Abgiogom.exe.519824.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
34.3.Afeaee32.exe.6aa1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
33.3.Abgiogom.exe.519824.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
34.3.Afeaee32.exe.6aa1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
33.3.Abgiogom.exe.519824.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
33.3.Abgiogom.exe.519824.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
34.3.Afeaee32.exe.6aa1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
34.3.Afeaee32.exe.6aa1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
33.3.Abgiogom.exe.519824.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
33.3.Abgiogom.exe.519824.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
34.3.Afeaee32.exe.6aa1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
34.3.Afeaee32.exe.6aa1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
35.2.Apmfnklc.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
38.3.Boepdgoi.exe.5c956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.Boepdgoi.exe.5c956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
38.3.Boepdgoi.exe.5c956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
38.3.Boepdgoi.exe.5c956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
38.3.Boepdgoi.exe.5c956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
38.3.Boepdgoi.exe.5c956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
10.2.Mhmiah32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
35.2.Apmfnklc.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
33.2.Abgiogom.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
7.2.Kkipaf32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
35.3.Apmfnklc.exe.52967c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.Apmfnklc.exe.52967c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
35.3.Apmfnklc.exe.52967c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
35.3.Apmfnklc.exe.52967c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
35.3.Apmfnklc.exe.52967c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
38.2.Boepdgoi.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
28.2.Ofmbni32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
14.3.Mdicai32.exe.7fa354.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
14.3.Mdicai32.exe.7fa354.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
14.3.Mdicai32.exe.7fa354.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
14.3.Mdicai32.exe.7fa354.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
14.3.Mdicai32.exe.7fa354.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
14.3.Mdicai32.exe.7fa354.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
31.2.Plaafobm.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
3.2.Jokilfca.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
25.3.Obmmbkej.exe.61956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
25.3.Obmmbkej.exe.61956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
25.3.Obmmbkej.exe.61956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
25.3.Obmmbkej.exe.61956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
25.3.Obmmbkej.exe.61956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
18.3.Nfmigk32.exe.63a1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.3.Nfmigk32.exe.63a1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
18.3.Nfmigk32.exe.63a1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
18.3.Nfmigk32.exe.63a1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
18.3.Nfmigk32.exe.63a1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
17.2.Nmdeneap.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
33.3.Abgiogom.exe.519824.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
33.3.Abgiogom.exe.519824.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
33.3.Abgiogom.exe.519824.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
33.3.Abgiogom.exe.519824.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
33.3.Abgiogom.exe.519824.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
20.3.Ninbhfea.exe.7ea344.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.3.Ninbhfea.exe.7ea344.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
20.3.Ninbhfea.exe.7ea344.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
20.3.Ninbhfea.exe.7ea344.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
20.3.Ninbhfea.exe.7ea344.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
20.3.Ninbhfea.exe.7ea344.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
4.3.Kegnnphk.exe.7c956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.3.Kegnnphk.exe.7c956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
4.3.Kegnnphk.exe.7c956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
4.3.Kegnnphk.exe.7c956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
4.3.Kegnnphk.exe.7c956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
24.2.Oiehie32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.3.Npjgkp32.exe.52a33c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
22.3.Npjgkp32.exe.52a33c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
22.3.Npjgkp32.exe.52a33c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
22.3.Npjgkp32.exe.52a33c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
22.3.Npjgkp32.exe.52a33c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
22.3.Npjgkp32.exe.52a33c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
31.3.Plaafobm.exe.81956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
31.3.Plaafobm.exe.81956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
31.3.Plaafobm.exe.81956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
31.3.Plaafobm.exe.81956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
31.3.Plaafobm.exe.81956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
31.3.Plaafobm.exe.81956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
17.3.Nmdeneap.exe.61a1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.3.Nmdeneap.exe.61a1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
17.3.Nmdeneap.exe.61a1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
17.3.Nmdeneap.exe.61a1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
17.3.Nmdeneap.exe.61a1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
17.3.Nmdeneap.exe.61a1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
17.3.Nmdeneap.exe.61a1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.3.Nmdeneap.exe.61a1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
17.3.Nmdeneap.exe.61a1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
17.3.Nmdeneap.exe.61a1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
17.3.Nmdeneap.exe.61a1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
6.2.Kkgclgep.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
16.3.Nncepn32.exe.61a33c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.3.Nncepn32.exe.61a33c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
16.3.Nncepn32.exe.61a33c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
16.3.Nncepn32.exe.61a33c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
16.3.Nncepn32.exe.61a33c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
16.3.Nncepn32.exe.61a33c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
14.2.Mdicai32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
18.2.Nfmigk32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
26.2.Oleakplj.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
11.3.Mddjfiih.exe.5ca984.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Mddjfiih.exe.5ca984.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.3.Mddjfiih.exe.5ca984.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
11.3.Mddjfiih.exe.5ca984.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
11.3.Mddjfiih.exe.5ca984.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
19.3.Nnhnkmek.exe.4ea1c4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
34.3.Afeaee32.exe.6aa1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.3.Opldpphi.exe.62a1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
34.3.Afeaee32.exe.6aa1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
23.3.Opldpphi.exe.62a1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
34.3.Afeaee32.exe.6aa1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
34.3.Afeaee32.exe.6aa1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
34.3.Afeaee32.exe.6aa1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
36.2.Aiejgqbd.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
23.3.Opldpphi.exe.62a1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
23.3.Opldpphi.exe.62a1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
23.3.Opldpphi.exe.62a1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
23.3.Opldpphi.exe.62a1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
11.2.Mddjfiih.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
23.2.Opldpphi.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
34.2.Afeaee32.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
28.3.Ofmbni32.exe.48a5d4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
28.3.Ofmbni32.exe.48a5d4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
28.3.Ofmbni32.exe.48a5d4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
28.3.Ofmbni32.exe.48a5d4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
28.3.Ofmbni32.exe.48a5d4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
28.3.Ofmbni32.exe.48a5d4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
5.2.Knccbbff.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
22.3.Npjgkp32.exe.52a33c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
22.3.Npjgkp32.exe.52a33c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
22.3.Npjgkp32.exe.52a33c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
22.3.Npjgkp32.exe.52a33c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
22.3.Npjgkp32.exe.52a33c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
4.2.Kegnnphk.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
37.2.Abnopf32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
11.2.Mddjfiih.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
21.3.Nfacbjdk.exe.6197d4.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.3.Nfacbjdk.exe.6197d4.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
21.3.Nfacbjdk.exe.6197d4.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
21.3.Nfacbjdk.exe.6197d4.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
21.3.Nfacbjdk.exe.6197d4.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
21.3.Nfacbjdk.exe.6197d4.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
39.3.Bmfpbogh.exe.7a956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
39.3.Bmfpbogh.exe.7a956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
39.3.Bmfpbogh.exe.7a956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
39.3.Bmfpbogh.exe.7a956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
39.3.Bmfpbogh.exe.7a956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
38.2.Boepdgoi.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
3.3.Jokilfca.exe.77a334.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.3.Mlfimg32.exe.7aa1cc.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.3.Jokilfca.exe.77a334.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
9.3.Mlfimg32.exe.7aa1cc.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
3.3.Jokilfca.exe.77a334.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
9.3.Mlfimg32.exe.7aa1cc.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
3.3.Jokilfca.exe.77a334.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
3.3.Jokilfca.exe.77a334.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
9.3.Mlfimg32.exe.7aa1cc.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
9.3.Mlfimg32.exe.7aa1cc.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
9.3.Mlfimg32.exe.7aa1cc.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
36.3.Aiejgqbd.exe.6aa334.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
36.3.Aiejgqbd.exe.6aa334.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
36.3.Aiejgqbd.exe.6aa334.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
36.3.Aiejgqbd.exe.6aa334.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
36.3.Aiejgqbd.exe.6aa334.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
24.3.Oiehie32.exe.74a33c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
24.3.Oiehie32.exe.74a33c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
24.3.Oiehie32.exe.74a33c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
24.3.Oiehie32.exe.74a33c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
24.3.Oiehie32.exe.74a33c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
24.3.Oiehie32.exe.74a33c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
23.3.Opldpphi.exe.62a1cc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.3.Opldpphi.exe.62a1cc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
23.3.Opldpphi.exe.62a1cc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
23.3.Opldpphi.exe.62a1cc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
23.3.Opldpphi.exe.62a1cc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
9.2.Mlfimg32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
7.2.Kkipaf32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
30.3.Pnkdgk32.exe.73956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.3.Jagibbdg.exe.53a6dc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
30.3.Pnkdgk32.exe.73956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
2.3.Jagibbdg.exe.53a6dc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
30.3.Pnkdgk32.exe.73956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
2.3.Jagibbdg.exe.53a6dc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
2.3.Jagibbdg.exe.53a6dc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
2.3.Jagibbdg.exe.53a6dc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
30.3.Pnkdgk32.exe.73956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
30.3.Pnkdgk32.exe.73956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.3.Kkipaf32.exe.61956c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
7.3.Kkipaf32.exe.61956c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
7.3.Kkipaf32.exe.61956c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
7.3.Kkipaf32.exe.61956c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
37.3.Abnopf32.exe.689284.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.3.Kkipaf32.exe.61956c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
37.3.Abnopf32.exe.689284.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
37.3.Abnopf32.exe.689284.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
37.3.Abnopf32.exe.689284.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
37.3.Abnopf32.exe.689284.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
25.3.Obmmbkej.exe.61956c.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
25.3.Obmmbkej.exe.61956c.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
25.3.Obmmbkej.exe.61956c.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
25.3.Obmmbkej.exe.61956c.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
25.3.Obmmbkej.exe.61956c.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
25.3.Obmmbkej.exe.61956c.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
32.2.Plfjan32.exe.400000.0.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
3.2.Jokilfca.exe.42bdf8.1.raw.unpack	JoeSecurity_Berbew	Yara detected Berbew	Joe Security
16.3.Nncepn32.exe.61a33c.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.3.Nncepn32.exe.61a33c.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
16.3.Nncepn32.exe.61a33c.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
16.3.Nncepn32.exe.61a33c.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
16.3.Nncepn32.exe.61a33c.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
29.3.Onigbk32.exe.6aa354.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
29.3.Onigbk32.exe.6aa354.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xa0ea:$a1: get_Registry 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb2e6:$a3: Download ERROR 0xb1ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0xb13e:$a5: netsh firewall delete allowedprogram "
29.3.Onigbk32.exe.6aa354.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xb1ac:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb304:$s3: Executed As 0xb2e6:$s6: Download ERROR
29.3.Onigbk32.exe.6aa354.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xb21a:$a1: netsh firewall add allowedprogram 0xb1ea:$a2: SEE_MASK_NOZONECHECKS 0xb494:$b1: [TAP] 0xb1ac:$c3: cmd.exe /c ping
29.3.Onigbk32.exe.6aa354.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xb1ea:$reg: SEE_MASK_NOZONECHECKS 0xb2c2:$msg: Execute ERROR 0xb31e:$msg: Execute ERROR 0xb1ac:$ping: cmd.exe /c ping 0 -n 2 & del
29.3.Onigbk32.exe.6aa354.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xb13e:$s1: netsh firewall delete allowedprogram 0xb21a:$s2: netsh firewall add allowedprogram 0xb1ac:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb2c2:$s4: Execute ERROR 0xb31e:$s4: Execute ERROR 0xb2e6:$s5: Download ERROR 0xb44a:$s6: [kl]
19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x2cd7e:$a1: get_Registry 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2df7a:$a3: Download ERROR 0x2de40:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2ddd2:$a5: netsh firewall delete allowedprogram "
19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2deae:$a1: netsh firewall add allowedprogram 0x2de7e:$a2: SEE_MASK_NOZONECHECKS 0x2e128:$b1: [TAP] 0x2de40:$c3: cmd.exe /c ping
19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2de7e:$reg: SEE_MASK_NOZONECHECKS 0x2df56:$msg: Execute ERROR 0x2dfb2:$msg: Execute ERROR 0x2de40:$ping: cmd.exe /c ping 0 -n 2 & del
19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ddd2:$s1: netsh firewall delete allowedprogram 0x2deae:$s2: netsh firewall add allowedprogram 0x2de40:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x2df56:$s4: Execute ERROR 0x2dfb2:$s4: Execute ERROR 0x2df7a:$s5: Download ERROR 0x2e0de:$s6: [kl]
Click to see the 502 entries

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {79FEACFF-FFCE-815E-A900-316290B5B738}, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\f6t9qa761D.exe, ProcessId: 7816, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f6t9qa761D.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://color-bank.ru/index.php	Avira URL Cloud: Label: malware
Source: http://parex-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://kidos-bank.ru/index.htm	Avira URL Cloud: Label: malware
Source: http://ros-neftbank.ru/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cboabb32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Caghjf32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abagca32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efhade32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Akecacdm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Afeaee32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abnopf32.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Clajoglf.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Flbkld32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Abgiogom.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Beadgadc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Fompebbg.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Doaepp32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for domain / URL

Source: http://gaz-prom.ru/index.htm	Virustotal: Detection: 8%	Perma Link
Source: http://kidos-bank.ru/index.htm	Virustotal: Detection: 12%	Perma Link
Source: http://mazafaka.ru/index.htm	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\Abagca32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Abnopf32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Afeaee32.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Akecacdm.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Caghjf32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Cboabb32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Cjemgabj.dll	ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Clajoglf.dll	ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Doaepp32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Eakcoodc.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Eeflcm32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Efhade32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Efljmjpm.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Eoifoe32.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Flbkld32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Folfac32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Fompebbg.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Gdcmha32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gfhipbln.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Ihifngfk.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Imjgmahp.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Jdlgaj32.dll	ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Jflaad32.dll	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Jhemcd32.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Jpegka32.dll	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Kbelgk32.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Khhkcgiq.dll	ReversingLabs: Detection: 90%

Multi AV Scanner detection for submitted file

Source: f6t9qa761D.exe	Virustotal: Detection: 91%			Perma Link
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\Folfac32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cboabb32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gfhipbln.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Caghjf32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abagca32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ihifngfk.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efhade32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Akecacdm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gkehlfaa.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Afeaee32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cjemgabj.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abnopf32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Clajoglf.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Flbkld32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eeflcm32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekdhoi32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Gdcmha32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Abgiogom.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bkmjkjhd.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Imjgmahp.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Beadgadc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fompebbg.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Doaepp32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eoifoe32.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eakcoodc.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efljmjpm.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Fkcpdl32.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f6t9qa761D.exe

Joe Sandbox ML: detected

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 0043001Eh	1_2_0043000C
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D01h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then inc eax	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403CD7h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then je 00403D37h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor dword ptr [eax], ecx	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 04h	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jne 00403D1Fh	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403CB3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add ebx, 04h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then jl 00403D74h	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, 0Ch	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403D50
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then pop edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 00408F6Ch	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E23h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov eax, 0042B000h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then mov ebx, 0042E3D0h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then sub ecx, eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xor edx, edx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then push eax	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then div edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then xchg eax, ecx	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then add eax, edi	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then loop 00403E83h	1_2_00403DC3
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: 4x nop then popad	1_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_00430000
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D01h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then inc eax	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403CD7h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then je 00403D37h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], ecx	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 04h	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jne 00403D1Fh	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403CB3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add ebx, 04h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then jl 00403D74h	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, 0Ch	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403D50
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then pop edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 00408F6Ch	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E23h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov eax, 0042B000h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor edx, edx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xchg eax, ecx	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then loop 00403E83h	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then popad	2_2_00403DC3
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then div edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then add eax, edi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then mov ebx, 0042E3D0h	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then sub ecx, eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then push eax	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: 4x nop then xor dword ptr [eax], esi	2_2_0042FE60
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], esi	3_2_00430068
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 00403DAAh	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov edx, dword ptr [eax+08h]	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [ebx], edx	3_2_0043000C
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D01h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then inc eax	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403CD7h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then je 00403D37h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor dword ptr [eax], ecx	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 04h	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jne 00403D1Fh	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403CB3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add ebx, 04h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then jl 00403D74h	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, 0Ch	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403D50
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then pop edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 00408F6Ch	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E23h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov eax, 0042B000h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then mov ebx, 0042E3D0h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then sub ecx, eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xor edx, edx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then push eax	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then div edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then xchg eax, ecx	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then add eax, edi	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then loop 00403E83h	3_2_00403DC3
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: 4x nop then popad	3_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], esi	4_2_0043006E
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [ebx], edx	4_2_0043000C
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D01h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then inc eax	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403CD7h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then je 00403D37h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor dword ptr [eax], ecx	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 04h	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jne 00403D1Fh	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403CB3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add ebx, 04h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then jl 00403D74h	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, 0Ch	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403D50
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then pop edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 00408F6Ch	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E23h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov eax, 0042B000h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then mov ebx, 0042E3D0h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then sub ecx, eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xor edx, edx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then push eax	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then div edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then xchg eax, ecx	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then add eax, edi	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then loop 00403E83h	4_2_00403DC3
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: 4x nop then popad	4_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pushad	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_00430000
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], esi	5_2_0043009F
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D01h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then inc eax	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403CD7h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00403D37h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor dword ptr [eax], ecx	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 04h	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jne 00403D1Fh	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403CB3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add ebx, 04h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then jl 00403D74h	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, 0Ch	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403D50
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then pop edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 00408F6Ch	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E23h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov eax, 0042B000h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then mov ebx, 0042E3D0h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then sub ecx, eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xor edx, edx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then push eax	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then div edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then xchg eax, ecx	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then add eax, edi	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then loop 00403E83h	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then popad	5_2_00403DC3
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then cmp eax, ebx	5_2_0042FE60
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: 4x nop then je 00430084h	5_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00430000
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D01h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then inc eax	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403CD7h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then je 00403D37h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor dword ptr [eax], ecx	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 04h	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jne 00403D1Fh	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403CB3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add ebx, 04h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then jl 00403D74h	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, 0Ch	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403D50
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then pop edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 00408F6Ch	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E23h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov eax, 0042B000h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov ebx, 0042E3D0h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then sub ecx, eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then push eax	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then add eax, edi	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then loop 00403E83h	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_00403DC3
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then mov esi, 6D212EB7h	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xor edx, edx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then div edi	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then xchg eax, ecx	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: 4x nop then popad	6_2_0042FE60
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pushad	7_2_00430000
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_004300A0
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D01h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then inc eax	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403CD7h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then je 00403D37h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 04h	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jne 00403D1Fh	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403CB3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add ebx, 04h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then jl 00403D74h	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, 0Ch	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403D50
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then pop edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E23h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov eax, 0042B000h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then sub ecx, eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xor edx, edx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then push eax	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then div edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then xchg eax, ecx	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then add eax, edi	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then loop 00403E83h	7_2_00403DC3
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: 4x nop then popad	7_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00430000
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_004300A0
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D01h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then inc eax	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403CD7h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00403D37h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jne 00403D1Fh	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403CB3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add ebx, 04h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then jl 00403D74h	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 0Ch	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403D50
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then pop edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 00408F6Ch	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E23h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov eax, 0042B000h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then mov ebx, 0042E3D0h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then sub ecx, eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor edx, edx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then push eax	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then div edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xchg eax, ecx	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, edi	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then loop 00403E83h	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then popad	8_2_00403DC3
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then xor dword ptr [eax], ecx	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then je 00430084h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: 4x nop then add eax, 04h	8_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pushad	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_00430000
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_004300A0
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D01h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403CD7h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then je 00403D37h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 04h	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 00403D1Fh	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403CB3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add ebx, 04h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jl 00403D74h	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, 0Ch	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403D50
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then pop edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E23h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov eax, 0042B000h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then sub ecx, eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor edx, edx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then push eax	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then div edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xchg eax, ecx	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then add eax, edi	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then loop 00403E83h	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then popad	9_2_00403DC3
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then inc eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then test eax, eax	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: 4x nop then jne 0043006Ch	9_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 00401000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_00430000
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D01h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then inc eax	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403CD7h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then je 00403D37h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], ecx	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 04h	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jne 00403D1Fh	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403CB3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add ebx, 04h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then jl 00403D74h	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, 0Ch	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403D50
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 00408F6Ch	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E23h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then push eax	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then div edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xchg eax, ecx	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then add eax, edi	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then loop 00403E83h	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then popad	10_2_00403DC3
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor edx, edx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov eax, 0042B000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then cmp eax, 00000000h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ebx, 0042E3D0h	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then mov ecx, ebx	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then sub ecx, eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then pop eax	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: 4x nop then xor dword ptr [eax], esi	10_2_0042FE60
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop eax	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], esi	11_2_00430068
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, dword ptr [eax]	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then cmp ebx, ecx	11_2_0043000C
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D01h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then inc eax	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403CD7h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then je 00403D37h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor dword ptr [eax], ecx	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 04h	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jne 00403D1Fh	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403CB3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add ebx, 04h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then jl 00403D74h	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, 0Ch	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403D50
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then pop edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 00408F6Ch	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E23h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov eax, 0042B000h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then mov ebx, 0042E3D0h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then sub ecx, eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xor edx, edx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then push eax	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then div edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then xchg eax, ecx	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then add eax, edi	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then loop 00403E83h	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then popad	11_2_00403DC3
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: 4x nop then call 0043000Ch	11_2_0042FE60
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pushad	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then cmp eax, 00000000h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 004300D2h	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], esi	12_2_00430000
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D01h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then inc eax	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403CD7h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov eax, 0042B000h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then je 00403D37h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor dword ptr [eax], ecx	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 04h	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jne 00403D1Fh	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403CB3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ecx, dword ptr [eax+04h]	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add ebx, 04h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then jl 00403D74h	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then add eax, 0Ch	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then popad	12_2_00403D50
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then pop edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then mov ebx, 00408F6Ch	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then sub ecx, eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xor edx, edx	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then push eax	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then div edi	12_2_00403DC3
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: 4x nop then xchg eax, ecx	12_2_00403DC3

Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://asechka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://color-bank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.nu/index.php
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru
Source: f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://crutop.nuAWM
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://crutop.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://cvv.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://devx.nm.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fethard.biz/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://filesearch.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://fuck.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://gaz-prom.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://goldensand.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://hackers.lv/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kadet.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kavkaz.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://kidos-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://konfiskat.org/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ldark.nm.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://lovingod.host.sk/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://mazafaka.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://parex-bank.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://potleaf.chat.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://promo.ru/index.htm
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://ros-neftbank.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://trojan.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://www.redline.ru/index.php
Source: f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	String found in binary or memory: http://xware.cjb.net/index.htm

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown

PE file has a writeable .text section

Source: f6t9qa761D.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jagibbdg.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Jokilfca.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kegnnphk.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Knccbbff.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkgclgep.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Kkipaf32.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Loplncai.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mlfimg32.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mhmiah32.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mddjfiih.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mbhkpnhb.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mkqoicnb.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mdicai32.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Mfhplllf.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nncepn32.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nmdeneap.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfmigk32.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nnhnkmek.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ninbhfea.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nfacbjdk.exe.20.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Npjgkp32.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Opldpphi.exe.22.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiehie32.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Obmmbkej.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oleakplj.exe.25.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oiibddkd.exe.26.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ofmbni32.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Onigbk32.exe.28.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pnkdgk32.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plaafobm.exe.30.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plfjan32.exe.31.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abgiogom.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Afeaee32.exe.33.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Apmfnklc.exe.34.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aiejgqbd.exe.35.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Abnopf32.exe.36.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Boepdgoi.exe.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bmfpbogh.exe.38.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Beadgadc.exe.39.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll

Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mdicai32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abnopf32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Knccbbff.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Abgiogom.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Opldpphi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Afeaee32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plfjan32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oleakplj.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Onigbk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Plaafobm.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Jokilfca.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Loplncai.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Nncepn32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Oiehie32.exe	Code function: String function: 00408F18 appears 42 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408A60 appears 31 times
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Code function: String function: 00408F18 appears 42 times

Source: f6t9qa761D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: f6t9qa761D.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04

Source: classification engine

Classification label: mal100.troj.evad.winEXE@78/79@0/0

Source: f6t9qa761D.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f6t9qa761D.exe	Virustotal: Detection: 91%
Source: f6t9qa761D.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\f6t9qa761D.exe

File read: C:\Users\user\Desktop\f6t9qa761D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f6t9qa761D.exe "C:\Users\user\Desktop\f6t9qa761D.exe"
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Process created: C:\Windows\SysWOW64\Jagibbdg.exe C:\Windows\system32\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Process created: C:\Windows\SysWOW64\Jokilfca.exe C:\Windows\system32\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Process created: C:\Windows\SysWOW64\Kegnnphk.exe C:\Windows\system32\Kegnnphk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Process created: C:\Windows\SysWOW64\Knccbbff.exe C:\Windows\system32\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Process created: C:\Windows\SysWOW64\Kkgclgep.exe C:\Windows\system32\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Process created: C:\Windows\SysWOW64\Kkipaf32.exe C:\Windows\system32\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Process created: C:\Windows\SysWOW64\Loplncai.exe C:\Windows\system32\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Process created: C:\Windows\SysWOW64\Mlfimg32.exe C:\Windows\system32\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Process created: C:\Windows\SysWOW64\Mhmiah32.exe C:\Windows\system32\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Process created: C:\Windows\SysWOW64\Mddjfiih.exe C:\Windows\system32\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Process created: C:\Windows\SysWOW64\Mbhkpnhb.exe C:\Windows\system32\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Process created: C:\Windows\SysWOW64\Mkqoicnb.exe C:\Windows\system32\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Process created: C:\Windows\SysWOW64\Mdicai32.exe C:\Windows\system32\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Process created: C:\Windows\SysWOW64\Mfhplllf.exe C:\Windows\system32\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Process created: C:\Windows\SysWOW64\Nncepn32.exe C:\Windows\system32\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Process created: C:\Windows\SysWOW64\Nmdeneap.exe C:\Windows\system32\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Process created: C:\Windows\SysWOW64\Nfmigk32.exe C:\Windows\system32\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Process created: C:\Windows\SysWOW64\Nnhnkmek.exe C:\Windows\system32\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Process created: C:\Windows\SysWOW64\Ninbhfea.exe C:\Windows\system32\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Process created: C:\Windows\SysWOW64\Nfacbjdk.exe C:\Windows\system32\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Process created: C:\Windows\SysWOW64\Npjgkp32.exe C:\Windows\system32\Npjgkp32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Process created: C:\Windows\SysWOW64\Opldpphi.exe C:\Windows\system32\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Process created: C:\Windows\SysWOW64\Oiehie32.exe C:\Windows\system32\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Process created: C:\Windows\SysWOW64\Obmmbkej.exe C:\Windows\system32\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Process created: C:\Windows\SysWOW64\Oleakplj.exe C:\Windows\system32\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Process created: C:\Windows\SysWOW64\Oiibddkd.exe C:\Windows\system32\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Process created: C:\Windows\SysWOW64\Ofmbni32.exe C:\Windows\system32\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Process created: C:\Windows\SysWOW64\Onigbk32.exe C:\Windows\system32\Onigbk32.exe
Source: C:\Windows\SysWOW64\Onigbk32.exe	Process created: C:\Windows\SysWOW64\Pnkdgk32.exe C:\Windows\system32\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Process created: C:\Windows\SysWOW64\Plaafobm.exe C:\Windows\system32\Plaafobm.exe
Source: C:\Windows\SysWOW64\Plaafobm.exe	Process created: C:\Windows\SysWOW64\Plfjan32.exe C:\Windows\system32\Plfjan32.exe
Source: C:\Windows\SysWOW64\Plfjan32.exe	Process created: C:\Windows\SysWOW64\Abgiogom.exe C:\Windows\system32\Abgiogom.exe
Source: C:\Windows\SysWOW64\Abgiogom.exe	Process created: C:\Windows\SysWOW64\Afeaee32.exe C:\Windows\system32\Afeaee32.exe
Source: C:\Windows\SysWOW64\Afeaee32.exe	Process created: C:\Windows\SysWOW64\Apmfnklc.exe C:\Windows\system32\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Process created: C:\Windows\SysWOW64\Aiejgqbd.exe C:\Windows\system32\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Process created: C:\Windows\SysWOW64\Abnopf32.exe C:\Windows\system32\Abnopf32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Process created: C:\Windows\SysWOW64\Boepdgoi.exe C:\Windows\system32\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Process created: C:\Windows\SysWOW64\Bmfpbogh.exe C:\Windows\system32\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mdicai32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oleakplj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Onigbk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plaafobm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Plfjan32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abgiogom.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Afeaee32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Abnopf32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Section loaded: ntmarta.dll

Source: initial sample

Static PE information: section where entry point is pointing to: .fldo

Source: f6t9qa761D.exe	Static PE information: section name: .fldo
Source: f6t9qa761D.exe	Static PE information: section name: .l1
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .fldo
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .l1
Source: Jokilfca.exe.2.dr	Static PE information: section name: .fldo
Source: Jokilfca.exe.2.dr	Static PE information: section name: .l1
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .fldo
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .l1
Source: Knccbbff.exe.4.dr	Static PE information: section name: .fldo
Source: Knccbbff.exe.4.dr	Static PE information: section name: .l1
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .fldo
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .l1
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .fldo
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .l1
Source: Loplncai.exe.7.dr	Static PE information: section name: .fldo
Source: Loplncai.exe.7.dr	Static PE information: section name: .l1
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .fldo
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .l1
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .fldo
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .l1
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .fldo
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .l1
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .fldo
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .l1
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .fldo
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .l1
Source: Mdicai32.exe.13.dr	Static PE information: section name: .fldo
Source: Mdicai32.exe.13.dr	Static PE information: section name: .l1
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .fldo
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .l1
Source: Nncepn32.exe.15.dr	Static PE information: section name: .fldo
Source: Nncepn32.exe.15.dr	Static PE information: section name: .l1
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .fldo
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .l1
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .fldo
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .l1
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .fldo
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .l1
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .fldo
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .l1
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .fldo
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .l1
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .fldo
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .l1
Source: Opldpphi.exe.22.dr	Static PE information: section name: .fldo
Source: Opldpphi.exe.22.dr	Static PE information: section name: .l1
Source: Oiehie32.exe.23.dr	Static PE information: section name: .fldo
Source: Oiehie32.exe.23.dr	Static PE information: section name: .l1
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .fldo
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .l1
Source: Oleakplj.exe.25.dr	Static PE information: section name: .fldo
Source: Oleakplj.exe.25.dr	Static PE information: section name: .l1
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .fldo
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .l1
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .fldo
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .l1
Source: Onigbk32.exe.28.dr	Static PE information: section name: .fldo
Source: Onigbk32.exe.28.dr	Static PE information: section name: .l1
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .fldo
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .l1
Source: Plaafobm.exe.30.dr	Static PE information: section name: .fldo
Source: Plaafobm.exe.30.dr	Static PE information: section name: .l1
Source: Plfjan32.exe.31.dr	Static PE information: section name: .fldo
Source: Plfjan32.exe.31.dr	Static PE information: section name: .l1
Source: Abgiogom.exe.32.dr	Static PE information: section name: .fldo
Source: Abgiogom.exe.32.dr	Static PE information: section name: .l1
Source: Afeaee32.exe.33.dr	Static PE information: section name: .fldo
Source: Afeaee32.exe.33.dr	Static PE information: section name: .l1
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .fldo
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .l1
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .fldo
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .l1
Source: Abnopf32.exe.36.dr	Static PE information: section name: .fldo
Source: Abnopf32.exe.36.dr	Static PE information: section name: .l1
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .fldo
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .l1
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .fldo
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .l1
Source: Beadgadc.exe.39.dr	Static PE information: section name: .fldo
Source: Beadgadc.exe.39.dr	Static PE information: section name: .l1

Source: f6t9qa761D.exe	Static PE information: section name: .text entropy: 7.129435722610816
Source: Jagibbdg.exe.1.dr	Static PE information: section name: .text entropy: 7.162455714032348
Source: Jokilfca.exe.2.dr	Static PE information: section name: .text entropy: 7.15982708692499
Source: Kegnnphk.exe.3.dr	Static PE information: section name: .text entropy: 7.162131595786184
Source: Knccbbff.exe.4.dr	Static PE information: section name: .text entropy: 7.16380020135791
Source: Kkgclgep.exe.5.dr	Static PE information: section name: .text entropy: 7.199588493733589
Source: Kkipaf32.exe.6.dr	Static PE information: section name: .text entropy: 7.158411480101382
Source: Loplncai.exe.7.dr	Static PE information: section name: .text entropy: 7.111314339012284
Source: Mlfimg32.exe.8.dr	Static PE information: section name: .text entropy: 7.20545575363383
Source: Mhmiah32.exe.9.dr	Static PE information: section name: .text entropy: 7.111854620392808
Source: Mddjfiih.exe.10.dr	Static PE information: section name: .text entropy: 7.17622940485195
Source: Mbhkpnhb.exe.11.dr	Static PE information: section name: .text entropy: 7.161093985501556
Source: Mkqoicnb.exe.12.dr	Static PE information: section name: .text entropy: 6.949372414467907
Source: Mdicai32.exe.13.dr	Static PE information: section name: .text entropy: 7.183156955694525
Source: Mfhplllf.exe.14.dr	Static PE information: section name: .text entropy: 7.181495996708354
Source: Nncepn32.exe.15.dr	Static PE information: section name: .text entropy: 7.152756617942734
Source: Nmdeneap.exe.16.dr	Static PE information: section name: .text entropy: 7.174675474540074
Source: Nfmigk32.exe.17.dr	Static PE information: section name: .text entropy: 7.13576525796639
Source: Nnhnkmek.exe.18.dr	Static PE information: section name: .text entropy: 7.159687221034241
Source: Ninbhfea.exe.19.dr	Static PE information: section name: .text entropy: 7.168950881448808
Source: Nfacbjdk.exe.20.dr	Static PE information: section name: .text entropy: 6.915128603158092
Source: Npjgkp32.exe.21.dr	Static PE information: section name: .text entropy: 7.099734896483985
Source: Opldpphi.exe.22.dr	Static PE information: section name: .text entropy: 7.160455727491319
Source: Oiehie32.exe.23.dr	Static PE information: section name: .text entropy: 6.969272790137508
Source: Obmmbkej.exe.24.dr	Static PE information: section name: .text entropy: 7.119068507640744
Source: Oleakplj.exe.25.dr	Static PE information: section name: .text entropy: 7.149858436442656
Source: Oiibddkd.exe.26.dr	Static PE information: section name: .text entropy: 7.1400998969697005
Source: Ofmbni32.exe.27.dr	Static PE information: section name: .text entropy: 7.199901196794614
Source: Onigbk32.exe.28.dr	Static PE information: section name: .text entropy: 7.148718122099703
Source: Pnkdgk32.exe.29.dr	Static PE information: section name: .text entropy: 7.128193719864745
Source: Plaafobm.exe.30.dr	Static PE information: section name: .text entropy: 7.123151697015828
Source: Plfjan32.exe.31.dr	Static PE information: section name: .text entropy: 7.1645055122231325
Source: Abgiogom.exe.32.dr	Static PE information: section name: .text entropy: 7.15783186302685
Source: Afeaee32.exe.33.dr	Static PE information: section name: .text entropy: 7.133443618227196
Source: Apmfnklc.exe.34.dr	Static PE information: section name: .text entropy: 7.148829340156794
Source: Aiejgqbd.exe.35.dr	Static PE information: section name: .text entropy: 7.073021381214775
Source: Abnopf32.exe.36.dr	Static PE information: section name: .text entropy: 7.180049933586281
Source: Boepdgoi.exe.37.dr	Static PE information: section name: .text entropy: 7.062278259438176
Source: Bmfpbogh.exe.38.dr	Static PE information: section name: .text entropy: 7.159488419401522
Source: Beadgadc.exe.39.dr	Static PE information: section name: .text entropy: 7.1897567359449726

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\Ninbhfea.exe	Executable created and started: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Afeaee32.exe	Executable created and started: C:\Windows\SysWOW64\Apmfnklc.exe
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Executable created and started: C:\Windows\SysWOW64\Mdicai32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Loplncai.exe	Executable created and started: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Executable created and started: C:\Windows\SysWOW64\Abnopf32.exe
Source: C:\Windows\SysWOW64\Mdicai32.exe	Executable created and started: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plfjan32.exe	Executable created and started: C:\Windows\SysWOW64\Abgiogom.exe
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Executable created and started: C:\Windows\SysWOW64\Opldpphi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Executable created and started: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Executable created and started: C:\Windows\SysWOW64\Ofmbni32.exe
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Executable created and started: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Executable created and started: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Executable created and started: C:\Windows\SysWOW64\Loplncai.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Oiehie32.exe	Executable created and started: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Opldpphi.exe	Executable created and started: C:\Windows\SysWOW64\Oiehie32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Executable created and started: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Executable created and started: C:\Windows\SysWOW64\Aiejgqbd.exe
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Executable created and started: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Onigbk32.exe	Executable created and started: C:\Windows\SysWOW64\Pnkdgk32.exe
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Executable created and started: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Executable created and started: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Knccbbff.exe	Executable created and started: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Executable created and started: C:\Windows\SysWOW64\Bmfpbogh.exe
Source: C:\Windows\SysWOW64\Oleakplj.exe	Executable created and started: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Kegnnphk.exe	Executable created and started: C:\Windows\SysWOW64\Knccbbff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Abgiogom.exe	Executable created and started: C:\Windows\SysWOW64\Afeaee32.exe
Source: C:\Windows\SysWOW64\Abnopf32.exe	Executable created and started: C:\Windows\SysWOW64\Boepdgoi.exe
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Executable created and started: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Plaafobm.exe	Executable created and started: C:\Windows\SysWOW64\Plfjan32.exe
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Executable created and started: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Executable created and started: C:\Windows\SysWOW64\Oleakplj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Executable created and started: C:\Windows\SysWOW64\Onigbk32.exe
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Executable created and started: C:\Windows\SysWOW64\Plaafobm.exe
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Executable created and started: C:\Windows\SysWOW64\Jokilfca.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Nncepn32.exe	Executable created and started: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Executable created and started: C:\Windows\SysWOW64\Nncepn32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Executable created and started: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to behavior
Source: C:\Windows\SysWOW64\Jokilfca.exe	Executable created and started: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to behavior

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Nfacbjdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Apmfnklc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	File created: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Mdicai32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Mlfimg32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Abnopf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Mfhplllf.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Abgiogom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Opldpphi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	File created: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Mddjfiih.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Ofmbni32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	File created: C:\Windows\SysWOW64\Nfmigk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	File created: C:\Windows\SysWOW64\Ninbhfea.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Loplncai.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Obmmbkej.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Oiehie32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kkipaf32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	File created: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	File created: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	File created: C:\Windows\SysWOW64\Aiejgqbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	File created: C:\Windows\SysWOW64\Nnhnkmek.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Pnkdgk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	File created: C:\Windows\SysWOW64\Npjgkp32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	File created: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	File created: C:\Windows\SysWOW64\Jagibbdg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Kkgclgep.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	File created: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Bmfpbogh.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	File created: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	File created: C:\Windows\SysWOW64\Oiibddkd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Kegnnphk.exe	File created: C:\Windows\SysWOW64\Knccbbff.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	File created: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	File created: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	File created: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	File created: C:\Windows\SysWOW64\Afeaee32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Boepdgoi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Mhmiah32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	File created: C:\Windows\SysWOW64\Plfjan32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	File created: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	File created: C:\Windows\SysWOW64\Mkqoicnb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	File created: C:\Windows\SysWOW64\Oleakplj.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	File created: C:\Windows\SysWOW64\Onigbk32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	File created: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	File created: C:\Windows\SysWOW64\Plaafobm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	File created: C:\Windows\SysWOW64\Jokilfca.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	File created: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	File created: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	File created: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	File created: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	File created: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	File created: C:\Windows\SysWOW64\Nmdeneap.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	File created: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	File created: C:\Windows\SysWOW64\Nncepn32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	File created: C:\Windows\SysWOW64\Mbhkpnhb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	File created: C:\Windows\SysWOW64\Kegnnphk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	File created: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	File created: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger			Jump to behavior

Source: C:\Windows\SysWOW64\Kegnnphk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fkcpdl32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nmdeneap.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jhemcd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Pnkdgk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gdcmha32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pilbmhcp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Afeaee32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cjemgabj.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oleakplj.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Njcedipl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Obmmbkej.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkqaeb32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mddjfiih.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Makogp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkgclgep.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kbelgk32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plaafobm.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Khhkcgiq.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nnhnkmek.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nnglhjfe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mfhplllf.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gfhipbln.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mbhkpnhb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Gkehlfaa.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfacbjdk.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Abagca32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jokilfca.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Flbkld32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Boepdgoi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Folfac32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ninbhfea.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Okilnjci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abgiogom.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Kkpgnmhh.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Ofmbni32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Fompebbg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiibddkd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jdlgaj32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Loplncai.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jflaad32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Onigbk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efljmjpm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Plfjan32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Bkmjkjhd.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Npjgkp32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Caghjf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Jagibbdg.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Clajoglf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Knccbbff.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Qanqbgdb.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Apmfnklc.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Akecacdm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Oiehie32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Jpegka32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Opldpphi.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Pppjem32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nfmigk32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eakcoodc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Kkipaf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eoifoe32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Nncepn32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Efhade32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mhmiah32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekdhoi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mdicai32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Eeflcm32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Bmfpbogh.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Beadgadc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Mlfimg32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Imjgmahp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Mkqoicnb.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Ihifngfk.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Abnopf32.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Nikaqk32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\f6t9qa761D.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Doaepp32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\Aiejgqbd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Cboabb32.dll	Jump to dropped file

Stealing of Sensitive Information

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

Remote Access Functionality

Yara detected Berbew

Source: Yara match	File source: 2.2.Jagibbdg.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Nncepn32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Onigbk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Mbhkpnhb.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Npjgkp32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Oiibddkd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Mkqoicnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Ninbhfea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Jagibbdg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Obmmbkej.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Loplncai.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nnhnkmek.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Pnkdgk32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Mfhplllf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Mhmiah32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Nfacbjdk.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Apmfnklc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Abgiogom.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.Ofmbni32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Plaafobm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nmdeneap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Oiehie32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Bmfpbogh.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Kkgclgep.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Mdicai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nfmigk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Oleakplj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Aiejgqbd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Opldpphi.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Afeaee32.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Knccbbff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Kegnnphk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Abnopf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.f6t9qa761D.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Mddjfiih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.Boepdgoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Mlfimg32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Kkipaf32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.Plfjan32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jokilfca.exe.42bdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: f6t9qa761D.exe, type: SAMPLE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.Oiibddkd.exe.84a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Mfhplllf.exe.4ea6cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Knccbbff.exe.57956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Loplncai.exe.5a9704.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Plfjan32.exe.67956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Mhmiah32.exe.5ea1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.f6t9qa761D.exe.4d973c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Oleakplj.exe.6b908c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.Boepdgoi.exe.5c956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.Apmfnklc.exe.52967c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.Mdicai32.exe.7fa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Nfmigk32.exe.63a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.Abgiogom.exe.519824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.Kkgclgep.exe.4fa5d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.Ninbhfea.exe.7ea344.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Kegnnphk.exe.7c956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.Plaafobm.exe.81956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Nmdeneap.exe.61a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Mddjfiih.exe.5ca984.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Afeaee32.exe.6aa1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.Ofmbni32.exe.48a5d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.Npjgkp32.exe.52a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.Nfacbjdk.exe.6197d4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Bmfpbogh.exe.7a956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Jokilfca.exe.77a334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Mlfimg32.exe.7aa1cc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Mbhkpnhb.exe.4e9744.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.Aiejgqbd.exe.6aa334.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Oiehie32.exe.74a33c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Opldpphi.exe.62a1cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.Pnkdgk32.exe.73956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.Jagibbdg.exe.53a6dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Mkqoicnb.exe.78a1dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Kkipaf32.exe.61956c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.Abnopf32.exe.689284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.Obmmbkej.exe.61956c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Nncepn32.exe.61a33c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.Onigbk32.exe.6aa354.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Nnhnkmek.exe.4ea1c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f6t9qa761D.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jagibbdg.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jokilfca.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kegnnphk.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Knccbbff.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkgclgep.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kkipaf32.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loplncai.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mlfimg32.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mhmiah32.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mddjfiih.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mbhkpnhb.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mkqoicnb.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mdicai32.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mfhplllf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nncepn32.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nmdeneap.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfmigk32.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nnhnkmek.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ninbhfea.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nfacbjdk.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Npjgkp32.exe PID: 7244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Opldpphi.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiehie32.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Obmmbkej.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oleakplj.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Oiibddkd.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ofmbni32.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onigbk32.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pnkdgk32.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plaafobm.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Plfjan32.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abgiogom.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Afeaee32.exe PID: 6736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Apmfnklc.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Aiejgqbd.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Abnopf32.exe PID: 932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Boepdgoi.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bmfpbogh.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\Pnkdgk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Aiejgqbd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Knccbbff.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mhmiah32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nncepn32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Onigbk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mdicai32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Npjgkp32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Opldpphi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkgclgep.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nnhnkmek.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kegnnphk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Afeaee32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfacbjdk.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Kkipaf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plaafobm.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oleakplj.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mlfimg32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiibddkd.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Plfjan32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mfhplllf.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Bmfpbogh.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Obmmbkej.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abnopf32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Beadgadc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jagibbdg.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mbhkpnhb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Abgiogom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mkqoicnb.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nfmigk32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Loplncai.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ofmbni32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Apmfnklc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Jokilfca.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Nmdeneap.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Oiehie32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Boepdgoi.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Mddjfiih.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\Ninbhfea.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	12 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f6t9qa761D.exe	92%	Virustotal		Browse
f6t9qa761D.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
f6t9qa761D.exe	100%	Avira	TR/Crypt.XDR.Gen
f6t9qa761D.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\Folfac32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Cboabb32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Gfhipbln.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Caghjf32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Abagca32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ihifngfk.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Efhade32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Akecacdm.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Gkehlfaa.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Afeaee32.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Cjemgabj.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Abnopf32.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Bmfpbogh.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Aiejgqbd.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Boepdgoi.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Clajoglf.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Flbkld32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Eeflcm32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Ekdhoi32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Gdcmha32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Abgiogom.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Bkmjkjhd.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Imjgmahp.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Beadgadc.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Apmfnklc.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Windows\SysWOW64\Fompebbg.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Doaepp32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Eoifoe32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Eakcoodc.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Efljmjpm.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Fkcpdl32.dll	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\Folfac32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Cboabb32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Gfhipbln.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Caghjf32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Abagca32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ihifngfk.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Efhade32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Akecacdm.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Gkehlfaa.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Afeaee32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Cjemgabj.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Abnopf32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Bmfpbogh.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Aiejgqbd.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Boepdgoi.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Clajoglf.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Flbkld32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Eeflcm32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Ekdhoi32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Gdcmha32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Abgiogom.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Bkmjkjhd.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Imjgmahp.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Beadgadc.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Apmfnklc.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Fompebbg.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Doaepp32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Eoifoe32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Eakcoodc.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Efljmjpm.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Fkcpdl32.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\Abagca32.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Abnopf32.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\Windows\SysWOW64\Afeaee32.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Windows\SysWOW64\Akecacdm.dll	87%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Bkmjkjhd.dll	93%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Caghjf32.dll	88%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Cboabb32.dll	87%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Cjemgabj.dll	95%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Clajoglf.dll	85%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Doaepp32.dll	90%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Eakcoodc.dll	88%	ReversingLabs	Win32.Trojan.Padodor
C:\Windows\SysWOW64\Eeflcm32.dll	92%	ReversingLabs	Win32.Trojan.Padodor
C:\Windows\SysWOW64\Efhade32.dll	88%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Efljmjpm.dll	88%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Ekdhoi32.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Eoifoe32.dll	89%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Fkcpdl32.dll	88%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Flbkld32.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Folfac32.dll	90%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Fompebbg.dll	89%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Gdcmha32.dll	87%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Gfhipbln.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Gkehlfaa.dll	89%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Ihifngfk.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Imjgmahp.dll	88%	ReversingLabs	Win32.Trojan.Padodor
C:\Windows\SysWOW64\Jdlgaj32.dll	90%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Jflaad32.dll	91%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Jhemcd32.dll	86%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Jpegka32.dll	93%	ReversingLabs	Win32.Backdoor.Padodor
C:\Windows\SysWOW64\Kbelgk32.dll	88%	ReversingLabs	Win32.Backdoor.Berbew
C:\Windows\SysWOW64\Khhkcgiq.dll	90%	ReversingLabs	Win32.Backdoor.Padodor

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ldark.nm.ru/index.htm	0%	Avira URL Cloud	safe
http://asechka.ru/index.php	0%	Avira URL Cloud	safe
http://gaz-prom.ru/index.htm	0%	Avira URL Cloud	safe
http://color-bank.ru/index.php	100%	Avira URL Cloud	malware
http://goldensand.ru/index.php	0%	Avira URL Cloud	safe
http://crutop.nu/index.htm	0%	Avira URL Cloud	safe
http://devx.nm.ru/index.php	0%	Avira URL Cloud	safe
http://gaz-prom.ru/index.htm	8%	Virustotal		Browse
http://color-bank.ru/index.php	1%	Virustotal		Browse
http://crutop.nu/index.htm	2%	Virustotal		Browse
http://fethard.biz/index.php	0%	Avira URL Cloud	safe
http://mazafaka.ru/index.htm	0%	Avira URL Cloud	safe
http://devx.nm.ru/index.php	0%	Virustotal		Browse
http://crutop.nuAWM	0%	Avira URL Cloud	safe
http://kadet.ru/index.htm	0%	Avira URL Cloud	safe
http://ldark.nm.ru/index.htm	0%	Virustotal		Browse
http://goldensand.ru/index.php	4%	Virustotal		Browse
http://cvv.ru/index.htm	0%	Avira URL Cloud	safe
http://lovingod.host.sk/index.php	0%	Avira URL Cloud	safe
http://kadet.ru/index.htm	1%	Virustotal		Browse
http://parex-bank.ru/index.htm	100%	Avira URL Cloud	malware
http://kidos-bank.ru/index.htm	100%	Avira URL Cloud	malware
http://fuck.ru/index.php	0%	Avira URL Cloud	safe
http://lovingod.host.sk/index.php	3%	Virustotal		Browse
http://cvv.ru/index.htm	1%	Virustotal		Browse
http://crutop.nu	0%	Avira URL Cloud	safe
http://parex-bank.ru/index.htm	1%	Virustotal		Browse
http://kidos-bank.ru/index.htm	12%	Virustotal		Browse
http://asechka.ru/index.php	2%	Virustotal		Browse
http://crutop.ru/index.htm	0%	Avira URL Cloud	safe
http://ros-neftbank.ru/index.php	100%	Avira URL Cloud	malware
http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru	0%	Avira URL Cloud	safe
http://mazafaka.ru/index.htm	8%	Virustotal		Browse
http://www.redline.ru/index.php	0%	Avira URL Cloud	safe
http://crutop.nu	2%	Virustotal		Browse
http://cvv.ru/index.php	0%	Avira URL Cloud	safe
http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru	2%	Virustotal		Browse
http://ros-neftbank.ru/index.php	1%	Virustotal		Browse
http://crutop.ru/index.htm	2%	Virustotal		Browse
http://kavkaz.ru/index.htm	0%	Avira URL Cloud	safe
http://potleaf.chat.ru/index.htm	0%	Avira URL Cloud	safe
http://trojan.ru/index.php	0%	Avira URL Cloud	safe
http://www.redline.ru/index.php	2%	Virustotal		Browse
http://xware.cjb.net/index.htm	0%	Avira URL Cloud	safe
http://filesearch.ru/index.php	0%	Avira URL Cloud	safe
http://trojan.ru/index.php	3%	Virustotal		Browse
http://hackers.lv/index.php	0%	Avira URL Cloud	safe
http://fethard.biz/index.php	1%	Virustotal		Browse
http://filesearch.ru/index.php	2%	Virustotal		Browse
http://konfiskat.org/index.htm	0%	Avira URL Cloud	safe
http://xware.cjb.net/index.htm	1%	Virustotal		Browse
http://mazafaka.ru/index.php	0%	Avira URL Cloud	safe
http://crutop.nu/index.php	0%	Avira URL Cloud	safe
http://kavkaz.ru/index.htm	3%	Virustotal		Browse
http://konfiskat.org/index.htm	3%	Virustotal		Browse
http://hackers.lv/index.php	2%	Virustotal		Browse
http://fethard.biz/index.htm	0%	Avira URL Cloud	safe
http://cvv.ru/index.php	1%	Virustotal		Browse
http://promo.ru/index.htm	0%	Avira URL Cloud	safe
http://crutop.nu/index.php	2%	Virustotal		Browse
http://mazafaka.ru/index.php	4%	Virustotal		Browse
http://crutop.ru/index.php	0%	Avira URL Cloud	safe
http://potleaf.chat.ru/index.htm	1%	Virustotal		Browse
http://fethard.biz/index.htm	1%	Virustotal		Browse
http://promo.ru/index.htm	2%	Virustotal		Browse
http://crutop.ru/index.php	2%	Virustotal		Browse
http://fuck.ru/index.php	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ldark.nm.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://asechka.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://goldensand.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://color-bank.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://gaz-prom.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://devx.nm.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.nu/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mazafaka.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fethard.biz/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.nuAWM	f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
http://kadet.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cvv.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://lovingod.host.sk/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://parex-bank.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://kidos-bank.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://fuck.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.nu	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ros-neftbank.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crutop.nu/index.phphttp://crutop.ru/index.phphttp://mazafaka.ru/index.phphttp://color-bank.ru	f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe, 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Mbhkpnhb.exe, 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Mkqoicnb.exe, 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Mdicai32.exe, 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Mfhplllf.exe, 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Nncepn32.exe, 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Nmdeneap.exe, 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Nfmigk32.exe, 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Nnhnkmek.exe, 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Ninbhfea.exe, 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Nfacbjdk.exe, 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.redline.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cvv.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://kavkaz.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://potleaf.chat.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://trojan.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xware.cjb.net/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://filesearch.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hackers.lv/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://konfiskat.org/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mazafaka.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.nu/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fethard.biz/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://promo.ru/index.htm	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crutop.ru/index.php	f6t9qa761D.exe, f6t9qa761D.exe, 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Jagibbdg.exe, Jagibbdg.exe, 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Jokilfca.exe, Jokilfca.exe, 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Kegnnphk.exe, Kegnnphk.exe, 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Knccbbff.exe, Knccbbff.exe, 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Kkgclgep.exe, Kkgclgep.exe, 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Kkipaf32.exe, Kkipaf32.exe, 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Loplncai.exe, Loplncai.exe, 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Mlfimg32.exe, Mlfimg32.exe, 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Mhmiah32.exe, Mhmiah32.exe, 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Mddjfiih.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515137
Start date and time:	2024-09-21 19:47:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f6t9qa761D.exe renamed because original name is a hash value
Original Sample Name:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@78/79@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 152 Number of non-executed functions: 184
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Abgiogom.exe, PID 2540 because it is empty
Execution Graph export aborted for target Abnopf32.exe, PID 932 because it is empty
Execution Graph export aborted for target Afeaee32.exe, PID 6736 because it is empty
Execution Graph export aborted for target Aiejgqbd.exe, PID 5820 because it is empty
Execution Graph export aborted for target Apmfnklc.exe, PID 5756 because it is empty
Execution Graph export aborted for target Bmfpbogh.exe, PID 6704 because it is empty
Execution Graph export aborted for target Boepdgoi.exe, PID 5860 because it is empty
Execution Graph export aborted for target Jagibbdg.exe, PID 7860 because it is empty
Execution Graph export aborted for target Jokilfca.exe, PID 7876 because it is empty
Execution Graph export aborted for target Kegnnphk.exe, PID 7892 because it is empty
Execution Graph export aborted for target Kkgclgep.exe, PID 7924 because it is empty
Execution Graph export aborted for target Kkipaf32.exe, PID 7956 because it is empty
Execution Graph export aborted for target Knccbbff.exe, PID 7908 because it is empty
Execution Graph export aborted for target Loplncai.exe, PID 7984 because it is empty
Execution Graph export aborted for target Mbhkpnhb.exe, PID 8048 because it is empty
Execution Graph export aborted for target Mddjfiih.exe, PID 8032 because it is empty
Execution Graph export aborted for target Mdicai32.exe, PID 8080 because it is empty
Execution Graph export aborted for target Mfhplllf.exe, PID 8100 because it is empty
Execution Graph export aborted for target Mhmiah32.exe, PID 8016 because it is empty
Execution Graph export aborted for target Mkqoicnb.exe, PID 8064 because it is empty
Execution Graph export aborted for target Mlfimg32.exe, PID 8000 because it is empty
Execution Graph export aborted for target Nfacbjdk.exe, PID 7192 because it is empty
Execution Graph export aborted for target Nfmigk32.exe, PID 8148 because it is empty
Execution Graph export aborted for target Ninbhfea.exe, PID 8184 because it is empty
Execution Graph export aborted for target Nmdeneap.exe, PID 8132 because it is empty
Execution Graph export aborted for target Nncepn32.exe, PID 8116 because it is empty
Execution Graph export aborted for target Nnhnkmek.exe, PID 8168 because it is empty
Execution Graph export aborted for target Npjgkp32.exe, PID 7244 because it is empty
Execution Graph export aborted for target Obmmbkej.exe, PID 7384 because it is empty
Execution Graph export aborted for target Ofmbni32.exe, PID 7528 because it is empty
Execution Graph export aborted for target Oiehie32.exe, PID 7340 because it is empty
Execution Graph export aborted for target Oiibddkd.exe, PID 7476 because it is empty
Execution Graph export aborted for target Oleakplj.exe, PID 7432 because it is empty
Execution Graph export aborted for target Onigbk32.exe, PID 7580 because it is empty
Execution Graph export aborted for target Opldpphi.exe, PID 7288 because it is empty
Execution Graph export aborted for target Plaafobm.exe, PID 1668 because it is empty
Execution Graph export aborted for target Plfjan32.exe, PID 1672 because it is empty
Execution Graph export aborted for target Pnkdgk32.exe, PID 7628 because it is empty
Execution Graph export aborted for target f6t9qa761D.exe, PID 7816 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\SysWOW64\Abagca32.dll

Download File

Process:	C:\Windows\SysWOW64\Nfacbjdk.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863030886134892
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0OB+BDq9J5SC:8qtV0HAr4HB+FqX5SC
MD5:	924F2E2C01119B4B7DB4E9FCBEDFEE6B
SHA1:	6CA567E2A20945BD3904813DD9255F26544674AE
SHA-256:	CA087E968E197603EDFBB8545E4CC5781B4460585AF6F4E023F6D37C9583F802
SHA-512:	86229E5438EE859D05660FB9400F71DCDEAB3ED3B13C99D3C019F5CB4EF6DF6ED605AF2758EA778D9A6AE55C870492BFC7DA54F823C3DD31E1CCE2857CD923DD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Abgiogom.exe

Download File

Process:	C:\Windows\SysWOW64\Plfjan32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.662204638800287
Encrypted:	false
SSDEEP:	3072:ZhLKSyHWaaECYvPgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:ZhmSy1VCmP1+fIyG5jZkCwi8r
MD5:	5F5E82E399D074D5225D8C32138803C3
SHA1:	33C5F1F505C5D0DEA92656FB4C34BA9B0A1FCD1E
SHA-256:	23F4A2F4A66079BF85977CA8F19162E2F31220130EFE553A48F4D0EE47B23668
SHA-512:	F33643EA31EA292D3ADE62FA9ED282E9F75A32C8C6B47EFA46E042FFC07DA584A79C9373011F36682EC1A5F50794E96AA55A230BA62FD3016A60C0FAE7B67C7E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Abnopf32.exe

Download File

Process:	C:\Windows\SysWOW64\Aiejgqbd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.697559463624774
Encrypted:	false
SSDEEP:	3072:1TGJ25CEddfa1M+MU2gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:1TGo5Cadfa1uU21+fIyG5jZkCwi8r
MD5:	193316C91B9FBD583AB86986F09C4F6C
SHA1:	A8A1CF7473A136CFCC72D5F7BFA4A5988C2FBDE3
SHA-256:	5FE809742F82A55D1CD9F14FB617A0BA02B0FB55D7A6FD2D83CA37389B461FEF
SHA-512:	53480BDC65AC0E0AF941D81C08318B71B95B20D7436BCC672C34ED73904B658E89C56A37730E3FDA1D7E756AFCA64DDF9BF5B57E497B1E74F2E8D0074E6489D8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Afeaee32.exe

Download File

Process:	C:\Windows\SysWOW64\Abgiogom.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6815612976959144
Encrypted:	false
SSDEEP:	3072:CkYtpoRj00pgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:apADp1+fIyG5jZkCwi8r
MD5:	8B41C95F611B1B1A8C86BA70B3CC6443
SHA1:	0233E7AAB5532185202E3E783F0ACFD5D357A74A
SHA-256:	F4B9CE3B2449CA71D6D4BB5CAED21C209E5165513A90B02DBAEAC515E6D654E0
SHA-512:	91DF6D4C264A90F3FBECB29C7F0DE0F3C47419F61A15FC297F9266F944E37F2C98CD8124C80C4BD6C8BA5F608F1904D912634AE8980894B2768083BDF4C1821E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Aiejgqbd.exe

Download File

Process:	C:\Windows\SysWOW64\Apmfnklc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.656071660855367
Encrypted:	false
SSDEEP:	3072:DldvKulWwpqv+gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:jvKu8v+1+fIyG5jZkCwi8r
MD5:	59BBE828FE074191C2D6054D26585CF3
SHA1:	38213AC7C83F8CAE8A993E4836A4270E2A17D5D4
SHA-256:	AE8E28B21C0CBDC65ECC0C8B5945A24E111224E06DD3408F82E8983545D05E32
SHA-512:	365261B3B2F2F842FF8251B88BD835AAB4ABB2831D5D1152C0D93CDB4BC0D795812BCF903DC971C52252079F11B2AB6785FA897F0C0DA75C8F98B79C71A50C70
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Akecacdm.dll

Download File

Process:	C:\Windows\SysWOW64\Apmfnklc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630369173031918
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG02B+BDq9J5SC:8qtV0HAr4PB+FqX5SC
MD5:	CEE6E288AD6B38D8BBF97E65A1123451
SHA1:	AC55FFA3F93CF020A4BB8C77FD896B298FADD1E9
SHA-256:	0D016C563A51421A96EA1F9729883F49D68E468EC8380E55BEED3607684B1A64
SHA-512:	EE32CFCFE26C8F131146567A92BA6565B07FD449FA73B40C8F141A23F7C6D95449726F2C73592057F7C3F414EDE02AAA217C08A458B104F2D390172E4696A611
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Apmfnklc.exe

Download File

Process:	C:\Windows\SysWOW64\Afeaee32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.689517399728556
Encrypted:	false
SSDEEP:	3072:Q1gTktd6cczG8Yt+2AaggYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:OgTeWCg2Hg1+fIyG5jZkCwi8r
MD5:	E102B1D30DCF3D950377A7F84B677C5F
SHA1:	417D9292798A9368D36BB9939C8721CD626D9B7D
SHA-256:	F176A45C0BA4D7687DE039BF0A0796F717351569355D75499D2B485DA796A036
SHA-512:	2F9E47859636B4B8BAADB587FC768574ABDEA124FDCF7FED719393608FEB86EFA321D22158BDB383000FA6C44B85E6CB24FF3AA419B2F6638A9DC3F0118F28D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Beadgadc.exe

Download File

Process:	C:\Windows\SysWOW64\Bmfpbogh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.67947502147913
Encrypted:	false
SSDEEP:	3072:uMTbH5dC6/gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:xbH5dB/1+fIyG5jZkCwi8r
MD5:	83BC342BA3FE8DD1AF9C890781AE2AF6
SHA1:	3289903C9E8C2368DB36A2CA8BC5F8A68983ADDA
SHA-256:	4E8A674A0EB9FD2352DA906D8BEA941279E02839A33C0517BC5A33E66E881C46
SHA-512:	2488DEEBE8CFD7BC2B4EFCEBB971CFEE77E2069B73306CDC60D2D555C5FB3A3369948CB6E2F6A0CF649BB9D90B4A873EC509C905D892C5CBC5B70F372684DA91
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Beadgadc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Beadgadc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Beadgadc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Beadgadc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Beadgadc.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Bkmjkjhd.dll

Download File

Process:	C:\Windows\SysWOW64\Plfjan32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862688183077805
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0QB+BDq9J5SC:8qtV0HAr4RB+FqX5SC
MD5:	35FE0E360B1F7A5725956D894AAF36B9
SHA1:	42CFC23BD41EA9449AA8AE882596D8D176B11299
SHA-256:	FF4B6BA5314B8E6C694D851087A1CD23A2FA6CB8135AE44E9CD0EF91F5F09172
SHA-512:	262AABFB84CD748C4660687D2CCDFABABAEBC59282221899DD21D8050F8F329F720607A5F3C4C0DB4A1333249E18919E661DEFFEB0BF41733B8EC48E6AB3D400
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Bmfpbogh.exe

Download File

Process:	C:\Windows\SysWOW64\Boepdgoi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.672492849190647
Encrypted:	false
SSDEEP:	3072:oBq29OuxsHX5AOByxgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:iq8GpAOByx1+fIyG5jZkCwi8r
MD5:	B5A7058FBD260D483CAC8A6FCE0251AD
SHA1:	31928CEE8B8D2B9CA628D3A6F88C8E59793533B4
SHA-256:	A3700E0D8D71495BAA4D851E7DF7A1A0EAE379587DD3006E7EDB375405B5D949
SHA-512:	5835CB66BB971F1B40AE300022985619766F0F26CD14415C34B0F558B59B75836C37CDA6A0E15EAD6E0496CB308D5B671A2D4D0FD321517C0C0F16B4F1186F5D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Boepdgoi.exe

Download File

Process:	C:\Windows\SysWOW64\Abnopf32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.666447760054655
Encrypted:	false
SSDEEP:	3072:6l9AJ/H0yvcgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:6lK+yvc1+fIyG5jZkCwi8r
MD5:	B4F5C63C242907828BEEA09266B776DB
SHA1:	123D8AC21EE06D7D20C28A0DE58FCAEC45A27EAF
SHA-256:	46445E595445A148E98C0FB84BA57F0F2EE530FB5DA5A0E2A2D98DF554103659
SHA-512:	5C8C47D929055E41772CC8F2678F53A8516F8CB62F312FDBE830DB978338C7C03E28099F523CC8B00B174C77622318C70D791F753BCE75CCBBF2E2575213D133
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Caghjf32.dll

Download File

Process:	C:\Windows\SysWOW64\Npjgkp32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8623704506710785
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0NB+BDq9J5SC:8qtV0HAr48B+FqX5SC
MD5:	64136225BA16739C259FEC89D2168666
SHA1:	816B5B65DB454FF7063A5136D3ADE7862214E57B
SHA-256:	F45B5F77FD6D30A4A7420AD87BE8852115BB42E7D40CD18463339674C1860845
SHA-512:	8BDAB58ABF6CD03BEF22C4A7D1C1E0D15409EE762FC9E23A81A7225BA2CC069A7351C62751F8125466841BCF5D9379C870629782002C3DCABC31570585967830
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Cboabb32.dll

Download File

Process:	C:\Windows\SysWOW64\Aiejgqbd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8625048673439935
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0uB+BDq9J5SC:8qtV0HAr4fB+FqX5SC
MD5:	80E8C9D75D9313191258BA49F262F492
SHA1:	E4C84A06C3CBB3925E3F766B5240E3C056E76A96
SHA-256:	464BE5FB10645B82DDCE8E58BF44CF1B2ABE34832925C731169F6BDA3413B458
SHA-512:	B962834EE6707CBA5CA076E57C4B5D228767599B791149FFD198FF8A21385A06EFA3ADF34CBA48DC76C414F7367E933D0E1AD50555B40D008BFE4F5C9A635C18
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Cjemgabj.dll

Download File

Process:	C:\Windows\SysWOW64\Afeaee32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862147814974354
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0ZB+BDq9J5SC:8qtV0HAr4QB+FqX5SC
MD5:	006FD4982B788739F76612206A4D1A23
SHA1:	BB505CE87554588966BB88C193C67751D830269C
SHA-256:	7FB6D171F312EA263228F9D80F2BCDF78BEBDF4B5C643F5D7CFF3580E115060C
SHA-512:	AE7B6E28DBB4D445B309F1B98102274F48F75D5E8BECD5F02FF06EB671A0D3ED9114FD8F0F05B5E54AE07BD3837F3A767BC88F23BC6490A7590B5DE6BF8C17FA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Clajoglf.dll

Download File

Process:	C:\Windows\SysWOW64\Jagibbdg.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.86261553023446
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0UB+BDq9J5SC:8qtV0HAr41B+FqX5SC
MD5:	ED7C9A55D951474E190F5D44F9403171
SHA1:	C0358595FC37E2D4F41855385A00F95F597E12D4
SHA-256:	2D54CD18839F3F0F80D9089B2549D7E03000D280A1864F5C0122AD36F36F4F51
SHA-512:	0EF4EE8E466FC8E171C103B930FBE953FF2868FA9AC461A7E4B18218E6F2A349CD91890B5B9A089708CFAF9FEBDEA6DF358BB8D7F26B239429A7A8728BA02C68
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 85%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Doaepp32.dll

Download File

Process:	C:\Users\user\Desktop\f6t9qa761D.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6657
Entropy (8bit):	2.863392292385166
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0VB+BDq9J5SC:8qtV0HAr4cB+FqX5SC
MD5:	4F2F26BEA71EB92CE6560827063DB122
SHA1:	EDB0DA1FECC9C6E0EBFAB7F6C45A19F4C8E67C23
SHA-256:	157DD86529B12D8D7F666D4C50CC1DE6F715BB4892C7DE83F7368992D6B03B21
SHA-512:	64793D9C18DAF7B4CB172E70897C02B56EA3AC0E8A60499C803F5288B0DED31A22A607746C8212D6AC79BA2965E2CBD2559C4499405C4991D5AA29EED7E3706B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Eakcoodc.dll

Download File

Process:	C:\Windows\SysWOW64\Nfmigk32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8624349698723375
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0HB+BDq9J5SC:8qtV0HAr4GB+FqX5SC
MD5:	0066D8D68979FE4EF48D3746A2EA8243
SHA1:	AA1CF61AE117B0E9FAA9DC23EA52549E7ED356D9
SHA-256:	07B49A4525D0FEC6A917FD393A3C30A02D40590078FC2CE4F6A8A4A55CD47388
SHA-512:	A1C6AC3F6DB881250D8CBA892357B9D30E35AFD0D796179B64F7108A029F54DAD29CBF43A8E5C59B3F4163DF5CCF3B7030D19D51F761AC6EAC3E5A639156A789
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Eeflcm32.dll

Download File

Process:	C:\Windows\SysWOW64\Mdicai32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8625714592819635
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0gB+BDq9J5SC:8qtV0HAr4NB+FqX5SC
MD5:	A3C226AB846639AC74F41512AB609177
SHA1:	15040061CF0E054114DF8985AFF82A7C7C438380
SHA-256:	CF23AC0171B637A0E7A34F16CFFEAD3EC5F5BDB331DBD554AE6BD34A89084DD4
SHA-512:	52AD680516CD6E4376C7AE9AED89FA4D9E58B509337E73FF718E7CC9D27E9306226439331BD1B2F0A47B115577051A388BC0BB276CD0BC3AB44EC30FD2E14A97
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Efhade32.dll

Download File

Process:	C:\Windows\SysWOW64\Nncepn32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8622209881763663
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0/B+BDq9J5SC:8qtV0HAr4+B+FqX5SC
MD5:	BC2523277F8E21691424559FFB2810B4
SHA1:	0D376B1B8E863F9AE3609ADA88BD702E913E91D8
SHA-256:	819FAEB8EDCBB63A69F41D1344F3E7BD46620E7FE6C04B3435FED507395DB430
SHA-512:	F35D887214AA084F1186E65FF087EE735C314CA334CD4BBDA8028A047818A586698E4E8FA59BDDB5D249F14A28BA1E82FF61C4CE7A46A69467A05441A5924B0D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Efljmjpm.dll

Download File

Process:	C:\Windows\SysWOW64\Onigbk32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862700243003955
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0DB+BDq9J5SC:8qtV0HAr4WB+FqX5SC
MD5:	D47EB46F3E8FF9FC9879544A4AAAD26D
SHA1:	414A39614F56E239C8A0053FF2F38C1EC607F166
SHA-256:	E0A01B2539F874134E3DA2409E426F62084449E8402517243F715ABBCD0C0100
SHA-512:	A98581EB3FC88B15982F9D0B1ADB0ADC47299E43922F5F194B218FB3786FA2548320D1ECD7916541ECCB09FDF27C273021405498B473F086B7FCD65D430E4785
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ekdhoi32.dll

Download File

Process:	C:\Windows\SysWOW64\Mhmiah32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862443465374729
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0S5DB+BDq9J5SC:8qtV0HAr4ZNB+FqX5SC
MD5:	C11D8B1C5B73653E6E7874D05F37B261
SHA1:	0C535DA2BA890C3DFAA278D4A118865B613861AE
SHA-256:	D9BF465C29FFD2B623F8E4F9ACA901C4720DA95FCB464685B1C76A60F9353C41
SHA-512:	AEFFBA4F49061B8E86E8971FF79669E6FECF1C5DF815402A614212300EA39A0F4F67D61A496E5BC7927E142901A921E0650B767A222276A4C48AC5C693750690
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Eoifoe32.dll

Download File

Process:	C:\Windows\SysWOW64\Kkipaf32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862075270466864
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0tB+BDq9J5SC:8qtV0HAr4MB+FqX5SC
MD5:	C6B46C8FD708B5D62BEEF8DA4A52EE2C
SHA1:	D7B1414A91833BCC896CDC5F2C7FE8C9A94CAE98
SHA-256:	2C31B5BC2D1A4EE99095B098B430FC9AFDD5E2CDC73740E6D0385A3613BAE674
SHA-512:	82B11F926E1F4852C1773084B26EEEDD09E9198D87612739F5C4342F92AFA02B6A10E5540C825257B2E67F8F4EFABF714777A9303DDAFA2E2AA9B2673D681C15
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Fkcpdl32.dll

Download File

Process:	C:\Windows\SysWOW64\Kegnnphk.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.86333489726242
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0sZB+BDq9J5SC:8qtV0HAr4fB+FqX5SC
MD5:	74A0679E8B0BA006C2F1B84F22801941
SHA1:	82611E48538B4E1D36F3BF70602E0EF823A586AB
SHA-256:	8B50F4FFCEDAF0CFE8D0BE3AFCE285F351D22DBB9368ED66666D09DA31BBEFC1
SHA-512:	58AF584F4E5A3EBEB814FA6EEB8BC5EA82F947623F551AFD45D1C2B02A541D3035CCF3930311DE35D629635DF7E98FACC3BB1C4C26E11791CC89C4600329A6A1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Flbkld32.dll

Download File

Process:	C:\Windows\SysWOW64\Jokilfca.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.86272477272167
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0zB+BDq9J5SC:8qtV0HAr42B+FqX5SC
MD5:	A8083857BFF070537C42FEAF95693386
SHA1:	F146237B0D0643E7E54C0F80B8020B2E77041D29
SHA-256:	BF579C8D404665C4DC543FED0DE45DD5326634F4C3890DDC47E89FC110C870EB
SHA-512:	1B1336C535E4CF2A39884ADCC87849FC9FE1513550319545402A6FB27A8E9E46BC54329368FEE56E067EA5BF8A1DB675AA1B8FF0CD3A8143E3398F2B24E12C3E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Folfac32.dll

Download File

Process:	C:\Windows\SysWOW64\Boepdgoi.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630474481372916
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0GB+BDq9J5SC:8qtV0HAr4/B+FqX5SC
MD5:	469912A014EB2528FC069182287EB861
SHA1:	571F3EB10A82749D512C9D21D00E4CD73E653DFA
SHA-256:	D8FDD2DE9966329D996B0723ED6A1F2DC4B880F712ADAB99FA2CE005FFA422F9
SHA-512:	032DF90FAEFF7943A6875C2F2E409D3FC6DACEC2D835FFCE0586D999052FDADD6A6F7303944D30E92AA999116BF532389C6E56F430A4D2D4E3C44E904F027CE4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Fompebbg.dll

Download File

Process:	C:\Windows\SysWOW64\Ofmbni32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8632540358898613
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0OB+BDq9J5SC:8qtV0HAr4DB+FqX5SC
MD5:	568B4B312EA4E5F9DBA5A67113235B96
SHA1:	77530C329C272C37A98AA05A1072C79370B28862
SHA-256:	7CD64AAEE777AE4A1F30CC5AED111B45891B1D4F0FA8C8CEE7DFF95317AFF1FC
SHA-512:	0E8D61D62741DF97713D5C805CA0777F7B33937A37F317CB3F6793D1287288A49E87810A366BCDAEA4A1EE5899688DECC6D78AD7ED0A18D624CEF7FE6E660416
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Gdcmha32.dll

Download File

Process:	C:\Windows\SysWOW64\Pnkdgk32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8625312080327197
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0D7ZB+BDq9J5SC:8qtV0HAr4SFB+FqX5SC
MD5:	2FB0AFA51A44794EA477CDA3AE470700
SHA1:	EDF1CC0686FE4AAD3FAEFD67ACAF46E8BB826DD0
SHA-256:	E789222553911D457AA49AAB17BB726D66704CA85753AF9EAF874C4ABD62BE14
SHA-512:	C1B135657302AD33BBC07CE5AAC4FBF6D357562DA785A07966ED9FD70E9904F1ADC12E6290BDF7D52111C829E42F83C08933774A0C2CEFC4BD5DC03B5372131A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Gfhipbln.dll

Download File

Process:	C:\Windows\SysWOW64\Mfhplllf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8624745717751185
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0KB+BDq9J5SC:8qtV0HAr4nB+FqX5SC
MD5:	C54944745420BFE553230143B84D3CBF
SHA1:	FF2C2524751C19E744A0C3718E3CC941E04F88DA
SHA-256:	07D79012DBCBA7D08922C8799C7C23D4EED3E231EE30D444D6D0464E3166988A
SHA-512:	9D6F128CA800D4DF4E3E6944346E534F0F34967F7AB155EB734EEEFB6386C19C085CA048901B92166324C24864790D6C6980F7FD49B48CB887D943DC6578E4CB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Gkehlfaa.dll

Download File

Process:	C:\Windows\SysWOW64\Mbhkpnhb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863642082239128
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0JB+BDq9J5SC:8qtV0HAr4oB+FqX5SC
MD5:	C6197152BE92C3015F925814CCEB8CE3
SHA1:	B491F09D39080FC184E95A7A5BE994472039935D
SHA-256:	0E8EB2B49B833626298930D0C7A3890F554ABC8F5ABCCFA8FB30BD2F3B978481
SHA-512:	DFDE17B1B6FC827AECB26B2F4232F4EFD709596FB56E339745C9AD9C52360F965E96A250264D86A938E788BFD1E6283CE618BEB602FAFF3D51F4468CE3021810
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ihifngfk.dll

Download File

Process:	C:\Windows\SysWOW64\Mkqoicnb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8627030634403514
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0SEB+BDq9J5SC:8qtV0HAr4ZEB+FqX5SC
MD5:	3F46D1C5999407ECDF3B32442990859A
SHA1:	A3DEDE6215F2355AE28ECAE6600C00D86EF04933
SHA-256:	BAA7727AA74728D286C2D608F394B77A446B4ABE6060AA1288DB534B7EBAEB2F
SHA-512:	85FC5C5FC2A6046DC19CF1CAA5130285A253205FB5317BDA5FCC4137590D0082A57A2CB62600532FAD730DF2722A16B3523CD3C92BCF055A74DAFC147E2DA447
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Imjgmahp.dll

Download File

Process:	C:\Windows\SysWOW64\Mlfimg32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8627625812999415
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0iB+BDq9J5SC:8qtV0HAr43B+FqX5SC
MD5:	58ED4DDB90F9ABBB77BEAD7C50753E54
SHA1:	AA1462DBF1744E25102C3179B25E83483D06F489
SHA-256:	3714AA4682380C940CF3C7BAED4D0AC53770AAC7979FB46C63C1EA70E1F7C727
SHA-512:	D6A6B2DFBF02720D73A2EFDE6067E3222389E8228FA7496A83C05275378B86A0E2748B3242874FC685CC2B25EE451BB87B0797159C20AA4B7ACFB2645A85AF6B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jagibbdg.exe

Download File

Process:	C:\Users\user\Desktop\f6t9qa761D.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.663618226090287
Encrypted:	false
SSDEEP:	3072:ug6mddPkMcgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:Sm7c1+fIyG5jZkCwi8r
MD5:	124816B52FD54D9C0496C6E8F1AB2A5A
SHA1:	C0985F50A8961288598B9855D767F6AF7CA995A9
SHA-256:	1392D2450BA9B05F7ACE11E99A1E64F1FAB48F3573AA3ADF94F7090AA88D3F80
SHA-512:	3212DFA82CB5EED1D8CEE030008B69E6D8581B3A335C7922C3C202629349F5A587AFD76AFE50BBAC7082F6E554B542F5FD12A4758AAF32FDB13848E489467F7D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jagibbdg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\f6t9qa761D.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SysWOW64\Jdlgaj32.dll

Download File

Process:	C:\Windows\SysWOW64\Oiibddkd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630917532608304
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0rB+BDq9J5SC:8qtV0HAr4WB+FqX5SC
MD5:	B9289DFD71BC701290CA6C8C1C241752
SHA1:	1D8914A0FFABAAEDB7FC08D0D5A30792C5E42A6A
SHA-256:	933BCC541BB48F3A8E2BCB583E7C14951A0393E9C0183CD864B2D80329DEB409
SHA-512:	241667935BDD125B1FB0B245374BFE1500C9B1D5E7BEF375B955D3C2C0073A01D653B89D9B3F2783B75EF031D27F84E57EFFC39B9D6FAA8DA77E36FE19863586
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jflaad32.dll

Download File

Process:	C:\Windows\SysWOW64\Loplncai.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8631468483276983
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG08B+BDq9J5SC:8qtV0HAr4hB+FqX5SC
MD5:	F3B9F955A8C8FD462B40052A161F900D
SHA1:	612E4D9FBE7DCCC40561A29E1BF342387957CB54
SHA-256:	3AC17C7143BB52EFE7A5F76B691E03F73216851464B8DFE72F568F5EA7DC1A12
SHA-512:	256D7385BD824736D3F8BF205B80549364BD3386D9B6E52CBB510412F2EA562CA4FEF31D8A660082B7FBEB504E53EA52767CDD87ED1322A1C1C7FCAE7DDE9B1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jhemcd32.dll

Download File

Process:	C:\Windows\SysWOW64\Nmdeneap.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8632170478609114
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG00B+BDq9J5SC:8qtV0HAr4NB+FqX5SC
MD5:	BED6E6B5A867E743FE1637B918E61E69
SHA1:	FBFBC7A26A279D6751715E7FD405B93C309CD095
SHA-256:	6291D3D3FF43263C125EB51AF62503403452891889FC639EB45CBEB4762F77FE
SHA-512:	676179F46B5FC0039BDBCEF6456642434C4FC7C305D145BEF1AE6BA8BF065B27884EECFE6EE3C7F2D203ED3B4A6EC9527F113441499AD7C6D090D4C14F944139
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jokilfca.exe

Download File

Process:	C:\Windows\SysWOW64\Jagibbdg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.674333767789065
Encrypted:	false
SSDEEP:	3072:rECMkPw+LaaNaS03K3BYgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:wCxVJBY1+fIyG5jZkCwi8r
MD5:	AC30565C2AC0057322C2E64F3CC0FBF6
SHA1:	7F658C08A27A807F84DA8558146736CA9C416CA8
SHA-256:	229BE3F71FEDD2FF8C9DAF6725FA33DD413151942D10DDBB5AE30808AA209F43
SHA-512:	794A27EB016EEABF977F462AA0DC3378A3D5C2856DF9E46CBDB8565A83AEDCF36CDCFCF26DA8AD14A3DB4EC184F94BCA1B94972C96B380A177A0518A78A7B646
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Jpegka32.dll

Download File

Process:	C:\Windows\SysWOW64\Oiehie32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863088963949486
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0e/B+BDq9J5SC:8qtV0HAr4j/B+FqX5SC
MD5:	3377E9DE4A68A8C88B7934371E7B6FCC
SHA1:	B8195DC7F8ADD6616D4B63786C1CEAA40593598C
SHA-256:	44E3AFD208F676FFA6746B288B4D93661D55B4F7F82021653DA6E90227EE24A6
SHA-512:	22235D5EE29F4BE2D5BBBAB4E763B1CBB056BA960C343E439F520B4BCC39965150145525D6900FD805568B49941A0FB2ABF2EF7A90C64A29F6FAD0792FEEE750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kbelgk32.dll

Download File

Process:	C:\Windows\SysWOW64\Kkgclgep.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630905873765586
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0gB+BDq9J5SC:8qtV0HAr49B+FqX5SC
MD5:	8DA29ACC323B8FDA7466506A74A88CE2
SHA1:	0B910B833A865AA8D923FFC444400DFE8B6764A4
SHA-256:	9776DDF3775CF74753266247580A6B6FB24AD9682C4834FA98BBE34D5A7AA5E1
SHA-512:	E87AFA0EA96C1FD9E325ACA78D588A6259E25EFEDE3C668799003E30A125F96064BAB431C2D25030DA4F9CD61B6091CE093C21353FC36A4F1D2B0A8B6F945F6A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kegnnphk.exe

Download File

Process:	C:\Windows\SysWOW64\Jokilfca.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.680802746517536
Encrypted:	false
SSDEEP:	3072:RMb2IF2RMciOAydlcDGRgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:RMb2IFMl2GR1+fIyG5jZkCwi8r
MD5:	B001CD1D8B944653D13962490626A544
SHA1:	82E05CA5F49266B23C027CB95828D35E094ECA47
SHA-256:	60CA8E5E7DAB6979F7C7C78442BD193EC3CC2B3D265B5532CC5BDF7EE7455957
SHA-512:	9741521C4519A270EE5AD40C3DC7E27A644F110AF6E45FEFBDDD4AD1F56958A75526CFE98D165AE83C9AED779BB04FD1B6934CEC4430B5A2E83BD5C22C4E8CAB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Khhkcgiq.dll

Download File

Process:	C:\Windows\SysWOW64\Plaafobm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862300242617132
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0PB+BDq9J5SC:8qtV0HAr4mB+FqX5SC
MD5:	4ABA09B1D61F2F6A8F6EE264D7CF0AF7
SHA1:	F3A492CB7CEDAF2043841C492CDE1D7718A15916
SHA-256:	1F28B1249F069B4AC1B49AAAAEB21EDF223DD66CAFF1EE971D6A9A320B3C0FC1
SHA-512:	D7A7CC5C6C1310D9D94106D2B24D0FBD5FD510E9176750A3C40067DC4983B72139FB4FE946404211DBD12D9DF2F79CC4892CF2B7041F07156C188D8A30D157CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kkgclgep.exe

Download File

Process:	C:\Windows\SysWOW64\Knccbbff.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6662386191488014
Encrypted:	false
SSDEEP:	6144:SlBB5oR111ekqizIsS1+fIyG5jZkCwi8r:SLIiZkCwiY
MD5:	3BF815BC7A4EF539C25284384F57B104
SHA1:	70F500EC19F3EC708F4B02A16114E649BC71FEFC
SHA-256:	EAFAFDFA10B2F402EBF6ED1EBE49DD36FCC3A015F2F76BD2F3A384747FA8A667
SHA-512:	1F7888FDE857ED980DC70C27A844E7D25FB3EB528E58CB16476911A7413F19B46B1FB1FAC6A310DD9DEE4078D3C49A8E949B75AF3C53DF9C97A706FA5D6527E9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kkipaf32.exe

Download File

Process:	C:\Windows\SysWOW64\Kkgclgep.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.661648532054421
Encrypted:	false
SSDEEP:	3072:G3EuqrxWdQTgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:GU9tWdQT1+fIyG5jZkCwi8r
MD5:	E411C0D85828BE876ADBBE5F36DE67A9
SHA1:	99A986B3CDD48BBE2033E17628B2BAD62565A8C1
SHA-256:	ED94DBC8B888240BB529477E7B966D800456650493404C86A16E7A0C4D0E3872
SHA-512:	64F297F4DB9353145923BF7EB886649E3ED9847E859781C8FA02BC9A881CB6EC9858DCC692C7A0BB9B8201B14D7D2ECC87B806C730186712496B6CE358FDFD81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kkpgnmhh.dll

Download File

Process:	C:\Windows\SysWOW64\Abgiogom.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8618874286005624
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG03B+BDq9J5SC:8qtV0HAr4KB+FqX5SC
MD5:	94976E5C7B0F75FEFE247DE3E7C04C80
SHA1:	8386DA3D7D7633CBED8F73304571AB3EACB020F1
SHA-256:	B712EA89536F34874ED988BB896D529F1103101BE9AE88D6DF201C23745712D1
SHA-512:	81D173AE74686D70AB71CE45363E0830FF0631A41AB6BF2E35267DE6B593924F9AF121951E49768BC0195664DF722A4D8BFC7BE3065FE01904A682690417083B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Kkqaeb32.dll

Download File

Process:	C:\Windows\SysWOW64\Obmmbkej.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862327955895683
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0dB+BDq9J5SC:8qtV0HAr4YB+FqX5SC
MD5:	B4A951E2933916F505DF90740CDB12CE
SHA1:	3C9ABE44D2EE589B9BF2D6AFEF65EFDB0B60A791
SHA-256:	54597278B9729A3B57271394D470914ED0014709CFDDAC2B3C3C6D94B4846DC1
SHA-512:	0DEC7BC03C86373B23512469A1395A7BD950313D1A76EA6268282BF3FA89F2E73555C6076B8D07FA7FDD1FDC9BBEC587E325DF19FDC693F20853B6BF28B956EB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Knccbbff.exe

Download File

Process:	C:\Windows\SysWOW64\Kegnnphk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.670541288619338
Encrypted:	false
SSDEEP:	3072:vDojwbMX6KLTcgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:vvbMX6KLTc1+fIyG5jZkCwi8r
MD5:	95A1E08557C9409B202379BFA46A32FD
SHA1:	02999F133FF4C37B0237FEE385ABFB1C4F2E1B1A
SHA-256:	F0A6719A2284109D4F874A5DC7820874B2A8CB1C20BB1E26FB52ABB3920FC390
SHA-512:	00978E71278F1891EE811453A14A6E952CFDF9EB642824539F8FED9358C1FB41DBB2B4129B3051507ECB9BB1F7245F7794AE9F1FDCC1FEE8E27404268F05C1C1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Loplncai.exe

Download File

Process:	C:\Windows\SysWOW64\Kkipaf32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.654522175558893
Encrypted:	false
SSDEEP:	3072:9lOVhnVFRNOiNDgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:i5FiiND1+fIyG5jZkCwi8r
MD5:	F52EDDE5B35A8A27FA3D691183E2953B
SHA1:	94416DCF7EDD4CE6621EEEA23A38283A8B65F608
SHA-256:	1EE3201A0441A7D8E8809622F025F5B7A8F37D59F3440A10632ABE1728DE6A3C
SHA-512:	AA11CF59D9B45568DDEA00505C17D9E3301060E4EFAF3E0648C22391242D3E6755927698DF8793CDCFF613279581E6D97FD5CE35F43F3047F141159AE3036384
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Makogp32.dll

Download File

Process:	C:\Windows\SysWOW64\Mddjfiih.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8630718375718045
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0DB+BDq9J5SC:8qtV0HAr4yB+FqX5SC
MD5:	34B08B2C00E502602F8FB07C62D2CE3A
SHA1:	5E8336E4B9D07728D88AA7122337D4A0C13EAF63
SHA-256:	75E6051272D4E41DF34DB136C92B7B3C1AB1D131C7B53F09E3ABB81897DCA844
SHA-512:	9812B7F0BE82E55E2BA3E67FC24C895707594968169AB1166526A7FCE803F150C1655889D72DD2A859FB68442152124F3DAE5FD07CC658E7A4BD2F06E64DF57C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mbhkpnhb.exe

Download File

Process:	C:\Windows\SysWOW64\Mddjfiih.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.687524693357865
Encrypted:	false
SSDEEP:	3072:kMSuoIKNCORdgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3SuoIKNCORd1+fIyG5jZkCwi8r
MD5:	D6E72D73103928A200613FBC2BD9111C
SHA1:	9A089D05805D3056E22659D5082589BA7025C753
SHA-256:	B86F8EE667117736DF1B3F057DC15F658213D49282377CED73090EE130341EA1
SHA-512:	E840AAE339D8668714C84CAACF395B1621927622FB875783D3518508D090A7E567A61886EE9DD8BE0C1C32E0F41D071B199E022C5C2E4F11D34B84A70C89F18A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mddjfiih.exe

Download File

Process:	C:\Windows\SysWOW64\Mhmiah32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.673315207387449
Encrypted:	false
SSDEEP:	3072:pEMrNcFnsVa9GQ6CgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:pEtFiC1+fIyG5jZkCwi8r
MD5:	65A1D3054A66017AF432390EA625E50E
SHA1:	56BED67CA1C418BDB492A4FFA110965281B18FE7
SHA-256:	A9DD9374F50F39939A9E559ABE20969C545A838E5D0D9140D5120FE0F5634069
SHA-512:	31E44626DC284DDF834BFC65157E21DE79921010FEFA21B5F0278C7DDEBAE5903464844009926EBFA52EFBE4EBEF2CD346FBBEA5FA0C54F6A45D60E0C5A5EDDC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mdicai32.exe

Download File

Process:	C:\Windows\SysWOW64\Mkqoicnb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.672214648343518
Encrypted:	false
SSDEEP:	3072:tLHUprGiI0pqngYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:krJFqn1+fIyG5jZkCwi8r
MD5:	1DB703D13A41CD9D7EBDCB67FDF2E592
SHA1:	23F33BB8CE286797A35FAC7CB9E89C8C5C6F3BCA
SHA-256:	14C073FD89B4D97B2465E5B8E580D0DC0FDE8B6EDC6F74D6A9011B2407DFFD32
SHA-512:	ED89B359302C03FDED3B730FC968618691417B9EFD051A8793335B40638593D1BB7F0C9242E5013F33B9CB6824CB639C5387AF74C34904264629D8DF1FC70FBB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mfhplllf.exe

Download File

Process:	C:\Windows\SysWOW64\Mdicai32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.67125394969729
Encrypted:	false
SSDEEP:	3072:IwRurCuqBVdjmK3KgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:IwArCuqXdiuK1+fIyG5jZkCwi8r
MD5:	26B8ED89C80AF1A6DE69F0266F739588
SHA1:	26774F528E3B76BD88B3769EFFC061F962531EC4
SHA-256:	AECC957786CA631C5CDCAF908BDF776256C4FB5D2EBC1D49367385ABCECC25D3
SHA-512:	534F7181D7931EC9E01D144E9978A0263AFCCEA4C4496453FD9887E2A8C60A92CD798988302AD2E46BB5643C5C2B538DA602D77A7C716F09BAC00D81F15026E4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mhmiah32.exe

Download File

Process:	C:\Windows\SysWOW64\Mlfimg32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.678624815550808
Encrypted:	false
SSDEEP:	3072:IsmZ/D0nO6Q/KKmHJzGHnwWIogYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:0enO6mwWIo1+fIyG5jZkCwi8r
MD5:	55B8378BCCA0573AA52EDC94AEFDC704
SHA1:	92E012F0C0278BB9DB1AAD369C8319E2CCBF1A42
SHA-256:	7D6E66BE9B015628509C51A66B23897160E117FF0F80835329E7552F4881AC52
SHA-512:	6ACADA249BB14BB4A8DA59DD16ED0B60AA452926FEDE08FC73B3D3A31BC180AE5340B045B6A04B4C149B08C0678AD6F6BB42E6BA534A4CB01D920D4F15346116
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mkqoicnb.exe

Download File

Process:	C:\Windows\SysWOW64\Mbhkpnhb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.661053431809354
Encrypted:	false
SSDEEP:	3072:+zwZ/CYbAYqI+IRgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:+zwcAAYjBR1+fIyG5jZkCwi8r
MD5:	94197F299C36AF08D341335E816F8EEE
SHA1:	5516C8E035B20D16E02A427A00125FEA69EFE1DD
SHA-256:	240DBA3E8CF90DB225BD91CA2111F722670B4305FBA02682A572E7708A8BE7CA
SHA-512:	C736A4F7B79AB1111D98092624C78447683266A4ADE196D0F5CA32B2481859C6BCF84B8808203C3FFB9326DFBEDCC8D5458ECDE6256B67DAE8A4F112B96FF1B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mlfimg32.exe

Download File

Process:	C:\Windows\SysWOW64\Loplncai.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.689128416210284
Encrypted:	false
SSDEEP:	3072:E121WpUgTeiJLgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:228Ugait1+fIyG5jZkCwi8r
MD5:	CF46B9CAC7594BA5D4DC54F0FCD338E3
SHA1:	DAA644E0A644BC25738A1551D569FC6ACE1DE136
SHA-256:	7520916C5994D4821C7DD98DDBA8B05F610A0A8D80970E4861A6C9B02F458E0B
SHA-512:	5A3B92D11C04C93D22D8E5E2CCB528643FF6926B1FB6B95030B83E4ACB56EB913076FA22037799717291EAF4C45293335A63B90A6B4A6613B464CD0601022FB7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nfacbjdk.exe

Download File

Process:	C:\Windows\SysWOW64\Ninbhfea.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.651722403836987
Encrypted:	false
SSDEEP:	3072:YtadccCI9PItVD4gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:YUdKI9PIP41+fIyG5jZkCwi8r
MD5:	DE19B82272034D866A40A521582F9F76
SHA1:	340F2D7B404B1E4F2619F8A065ABEC533EFCC7C9
SHA-256:	C0EBA998569E0EBDB918A4B0E7CDA42659A08869B7269F6160D5B87963D9D73A
SHA-512:	CA597B370C253D36A2DD9A4CAD8894D3D3469472E06F5C9CFED9108C0C72753310CF24E09B40482E884C84B94426DFDFA9D2E7449D214C88E3405E326B2D429B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nfmigk32.exe

Download File

Process:	C:\Windows\SysWOW64\Nmdeneap.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.685868158190438
Encrypted:	false
SSDEEP:	3072:bxAizYcoRAqgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:bxnh4Aq1+fIyG5jZkCwi8r
MD5:	94CD6FB51F256E10BA1195DD99C4B4EC
SHA1:	2840ABE0073F58173140289FC7627F2FFE3B769D
SHA-256:	5A9EEEAE5C11B3A2603B64528173A83EDB7FB6E406BD56FAD2EB75121B21B7A7
SHA-512:	738DF350DD6D7EC120997AC4D46DA889D33A3E80D49D494F2C2E5BAFD0C5BD3C866292807B108CE23BBFB617198C97A1FD38E195E3738B26FAF72BAE4E29295D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nikaqk32.dll

Download File

Process:	C:\Windows\SysWOW64\Abnopf32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8623975962951658
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0lcB+BDq9J5SC:8qtV0HAr4rB+FqX5SC
MD5:	8710324E8987B8EAD8A37D0B7B94570A
SHA1:	669F7CAF999C4A689D001D5A00A7572F1C976533
SHA-256:	7A05EC81711DA552BE1A7F9802FDCC26CBE028E0B02F8FD9674178621CB5EB01
SHA-512:	BA9400C23D177A77E55738DFBE420C17A4DB9A6BCDBADD3E638BA441DD2959DFE80426CE2578678A7D80DBEDE4B356EFD1A0F1E07770EC002200262AB3B0BB84
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ninbhfea.exe

Download File

Process:	C:\Windows\SysWOW64\Nnhnkmek.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6347201647713465
Encrypted:	false
SSDEEP:	3072:7xxnNuS2o/YQpT497eqAgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:7xxnNuSV/YQVkA1+fIyG5jZkCwi8r
MD5:	30CE048D570516E488325C85BB935BA6
SHA1:	7A253C4ADC51F0405862A9DF6BD6602821364CDA
SHA-256:	2BCEE498823F9A37F319CACDB0FF7A6BEF939EA3E0D52EF485CD749D9ACB2562
SHA-512:	0961F773A461D632A2EA41DE98F6A3B61B098F716446D751FAD0791317ED140401AEADD2491EDB07598C54C3263C5BF364B02E8C6EEF0FBD2FBBB23032C3436D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Njcedipl.dll

Download File

Process:	C:\Windows\SysWOW64\Oleakplj.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8626930227688048
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0FB+BDq9J5SC:8qtV0HAr4YB+FqX5SC
MD5:	C1308400BDA8B778B7E7A704DD0B4B9A
SHA1:	2BE8AE364DC265D0E29CE10B206970C34BD4D500
SHA-256:	22F8080DEE15CFCFFC967146B585768FC94BAF8836C8C1039BFD729731F0E42A
SHA-512:	42126DAF59717C7FD2DD16073C0F2BF0AEE8A4E021F070281543BD4F0CBE38FEC77A9E5812E80BF6167BF06966328E6F58AFB0780FBCD5E417D94DDA35C5F7BD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nmdeneap.exe

Download File

Process:	C:\Windows\SysWOW64\Nncepn32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.689293010534202
Encrypted:	false
SSDEEP:	3072:5S5NqHCutJv8gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:jiuL81+fIyG5jZkCwi8r
MD5:	E5F6FAFD14FBB658217EE86CBE587A03
SHA1:	6A74D366E59840707ADF0EF242DCA1A11F4D06C3
SHA-256:	10F3BADB6F83B6568F8A46704727154BB7908680F5DB975CD775FDDB2C68F374
SHA-512:	5C864F330163E9C3DCA13A18AE640F107FD8BC79BC34237E5D34BE12D15EFF034264759E3B9C3660AA613B49DEA7433EA2272E0EBC09AB66DCBD514A5567C374
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nncepn32.exe

Download File

Process:	C:\Windows\SysWOW64\Mfhplllf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.662761122230488
Encrypted:	false
SSDEEP:	3072:ToLiUfcLQYxtOgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:ToKc1+fIyG5jZkCwi8r
MD5:	B674905DB37AC8FC43BA727B14D25D04
SHA1:	6CFD7DC4E689523C3DCDF2343693C40BFD122CC8
SHA-256:	D31D7A58A92C4F2B2D1FA333E9E8AE9AC79B5C30986B9E1145BBB1A6699DF53D
SHA-512:	4B099CB41EC889EE7BD1B1491DB6E2DFC3505ED2EED30B90517D343A6A02FD1A48DB917A8CB72EB6B7B27D76C867F5001A4A0EE9DCE8EE4D91CB2B40395C9DC1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nnglhjfe.dll

Download File

Process:	C:\Windows\SysWOW64\Nnhnkmek.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.86262092034002
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0AB+BDq9J5SC:8qtV0HAr41B+FqX5SC
MD5:	1F494AAC11A2666FB71E91B26BF27DB0
SHA1:	0E4604D9602D64E8D7AFA3E2C0713DF5AFA281BA
SHA-256:	8DC7E71F7373CDFB6330953E479A1534357DB1BC7945385959B044D2F29B1BB3
SHA-512:	37906C028AA3631803DE1B31B364CE7EDC6F4B19E9EC9874B985690C1D555853EF3E7B4C1D69AA5BEB5AEFFDD069F6BC78A4FCCD965422CDB44C9D8A12A2CB75
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Nnhnkmek.exe

Download File

Process:	C:\Windows\SysWOW64\Nfmigk32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.688882892115412
Encrypted:	false
SSDEEP:	3072:5nPrvxLr6UtAgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:5nzvMOA1+fIyG5jZkCwi8r
MD5:	325DEE8246A1AC0453E99E6F61321E68
SHA1:	D5753AACD358847D8EEDF1286317E4561D7571E1
SHA-256:	077335670711D64402B3381FE31ECFA4D0821E3DC37F63498BA0FE41D8D6D2FE
SHA-512:	977AB9A021557B32C5807B0423597D3AA9759E6C9ABF366906BBF9A675C56781648ABEE12FE2D8CF6FA62BBC4EF31CBF3B9E3A4C91E44DC26326657B2CE82EF5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Npjgkp32.exe

Download File

Process:	C:\Windows\SysWOW64\Nfacbjdk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.671972362345532
Encrypted:	false
SSDEEP:	3072:BbO05rDgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XD1+fIyG5jZkCwi8r
MD5:	CBAD3F92CD27CB09639A094829D9F6FD
SHA1:	A4CA88F72CEE4F76EBB02DADC46CBABCB3D0389A
SHA-256:	F1F03392242CE65AC60DD0309DDEB52C036C890DE8CEBC4A73A19A8B3445589F
SHA-512:	90A8F79D990BBB725F088FCEB960299B6D73497520FBE2B0B330DBB3BFE6EDA2E6E49A31EC31A85FA6922E6F5C63B07B0943607C9573C68D6C8338E93DD62DEE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Obmmbkej.exe

Download File

Process:	C:\Windows\SysWOW64\Oiehie32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.667233384548493
Encrypted:	false
SSDEEP:	3072:wNZZmkznKRn7cngYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:wrgkznK9on1+fIyG5jZkCwi8r
MD5:	302772D04A5F8FE5E8DEE3E6C1384AD8
SHA1:	0D59185C7A1818CE0FEFD553027DAFAAFCEBB8E5
SHA-256:	823C7F5B42CC9C40837E14EAB0422D1F73B1CF7082F6C6FC82A9DC628D6F9B76
SHA-512:	C0F44D2CCBF97C7A0F8596BE8D3C28A290755AC18F8FE6F6CB3F2E937B9C65A2B44BBAD10298598394F50421F02B2C3B7039DA16F6F1FAC8C27FCC5620992B8B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Ofmbni32.exe

Download File

Process:	C:\Windows\SysWOW64\Oiibddkd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.693149010585133
Encrypted:	false
SSDEEP:	3072:Gs/hc7RsjIx96vXgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:URfQX1+fIyG5jZkCwi8r
MD5:	1CA23E4E5E376FE53DC0FFC575ED2A21
SHA1:	14834CC51DB67FF09C45332C1F126245A8F3C238
SHA-256:	B18D07B51206AF27C5088C310482611584C190D8F1E7E0F0C40DA009110A8555
SHA-512:	187806C67CA0D22D716BD8A6BE3A4B26C20B9E720067055B92652EEAA754660A917C4FDDD91120E3FB50C92EF128E802D0801BF9ECA4FA03542E5D802EAE5099
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Oiehie32.exe

Download File

Process:	C:\Windows\SysWOW64\Opldpphi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.652398723046625
Encrypted:	false
SSDEEP:	3072:3pDj5hwGEO/TNMha5jzgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:7hVEO/TOh2jz1+fIyG5jZkCwi8r
MD5:	2CD525CE457D0EA53E6C18D181A357B6
SHA1:	091B6A966027B0964C87BE483DB944DCA5DB9831
SHA-256:	4C0CD339B631330659BEA5882E06D69B32168ADA500E46E1FDF78D1518CE6625
SHA-512:	380AD3CE0E0A971F28A2F75AB4D7DCBB90537722F25A6ABA0AE1A0D0A41AEC02D4CEA9F1BF1A08CCB5BD860447E79837B2D005AF891CFFD0E39C8A78AF8FE6D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Oiibddkd.exe

Download File

Process:	C:\Windows\SysWOW64\Oleakplj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.650318951119529
Encrypted:	false
SSDEEP:	3072:MlgiMoIeIckNeeWkRr8ltgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:wMZfJRr8lt1+fIyG5jZkCwi8r
MD5:	DE0F366BEE1506A5273585B95E5E39B6
SHA1:	4BB81E83CAA888C9D53BEEF05DE7E5EFF4D9E920
SHA-256:	5112CB904ACDC5349E816A9AE0E0254053C79191606B44AAE7247EC545B196EA
SHA-512:	69BD96DAE69EB27CA81CF3359B9E08BF7F71D9F2A105A90BF234CB9DCCBD4AD7F45A67C40F34ED9B6C073B251E02499882D4BA5A41B70EC228B2BB6D086903E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Okilnjci.dll

Download File

Process:	C:\Windows\SysWOW64\Ninbhfea.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862911514026563
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0MB+BDq9J5SC:8qtV0HAr4BB+FqX5SC
MD5:	0680096452EFB14C23931E77B0AB6B4E
SHA1:	1B7E9D1EFC5BD818A7F33325E57A3680A1338A9E
SHA-256:	F4EFCE24A052607313B40E2EC2B9360CF21F9EB95BCC8A1105DF50E972549CD4
SHA-512:	45530D6DABAA3B24E177CF7535465C54687ED6E00086694A39513B520E2036BD93617BAAD19309F7CB92D11C42B51DFF9C314EAA755828F172701A7111CD5A37
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Oleakplj.exe

Download File

Process:	C:\Windows\SysWOW64\Obmmbkej.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.655874419612021
Encrypted:	false
SSDEEP:	3072:XP/tzXFQVPAgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:Nz4A1+fIyG5jZkCwi8r
MD5:	30AA748393753182B4B82014D6258B66
SHA1:	8C49F839C08F302C2994B3DBCE3BBEA3D01D70AD
SHA-256:	0F8DC01E846E0300991A322A3BAD91271639332D1579CAEDAD9155EF1A921F56
SHA-512:	50B86E1996B007E4DF450B2423E4FF69CAB5F4219274E0394D8E34A1D6B43D9501FAF731F38D875164B381B532D6079B6751C7DDF861ECEAC571BCBD17AFA4E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Onigbk32.exe

Download File

Process:	C:\Windows\SysWOW64\Ofmbni32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.670027173980494
Encrypted:	false
SSDEEP:	3072:5Se8ZU/pdAyKgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:iZspmyK1+fIyG5jZkCwi8r
MD5:	292610221CEC72FC244EC8366198C3AD
SHA1:	C3D9135899EDA9D4C3398565BA2A4AAD36F5BA83
SHA-256:	433BD86A314DB7E430E6D6CA832F46862626676897F0E62796C5014E3A6E9D08
SHA-512:	8A41F854632C6FEDCA8C2A871A601D9061C987B1B4E50CC2011CCDFFDCAF7D9039D52AB962AC9CA83335DFEC49D36A7E199FFEC9B937A4A5F8BD7A6A4AA8CFB9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Opldpphi.exe

Download File

Process:	C:\Windows\SysWOW64\Npjgkp32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.666412272344835
Encrypted:	false
SSDEEP:	3072:0WdoWpVMW9TEFKPLytSleWgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:5nvnTEFKLytSEW1+fIyG5jZkCwi8r
MD5:	97E52ADC870D05ED94348D4A85F8D03D
SHA1:	C309117BCC3F81A06EE5F9D09E1BF37317C31336
SHA-256:	55F08D7EC72801DEE81992B7DDA0FB2807B1C35BA515932734E4A43C419497E9
SHA-512:	73BA87299CF35CDEB71B2990786FDDD8A7AF4D6E8E17DF10C81B70E3A4AD7833AC19F17F6B250AC0C6578B79BE9B34FB5D27314E1D4C4B90BC50464A5E5B93B7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pilbmhcp.dll

Download File

Process:	C:\Windows\SysWOW64\Bmfpbogh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.862384042556938
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0IB+BDq9J5SC:8qtV0HAr49B+FqX5SC
MD5:	1ECB61EC2B2AEAA9025AEE3F30998AEA
SHA1:	EF195E7AD0E8184164559BF31EFDC1E0589503E8
SHA-256:	300C4800144E0B7B2D51DB4353373A92200C92259F057F54436EFA3081822D80
SHA-512:	817671486A3F8059174DD99ACD3DC94D9CB58C31041A5731E68806B9E23E60090E19BFD77C15C9C8A53125A5F7A6115268753372BA31BDB21586AB4D37CA6C3F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Plaafobm.exe

Download File

Process:	C:\Windows\SysWOW64\Pnkdgk32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.659861640250392
Encrypted:	false
SSDEEP:	3072:JooYfboXnszgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:CDonsz1+fIyG5jZkCwi8r
MD5:	F40C40806DE4163DCD9146C24FFD4D20
SHA1:	B6F0614684EE14F7FEC31343F044AE702EFF80A0
SHA-256:	AA22B3D7E9EEDB466883134517EB84AE1AEB9DDFCD6437B8EBFE1313456FDB0F
SHA-512:	3658DB74BB2A4CCB2D2FA21C45EDE4AE94B7BECE16C753A831CE54817E81C816A138DAF8AAADF6ECB4C1A369D0F30F496A2DEA406C1246D69109EDE86E8DCE88
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Plfjan32.exe

Download File

Process:	C:\Windows\SysWOW64\Plaafobm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.6488603344515935
Encrypted:	false
SSDEEP:	3072:3F2UeO4b7rmgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:IFVbnm1+fIyG5jZkCwi8r
MD5:	28E65FB9EECFE082F19DDE2816479231
SHA1:	1D1AFDBF60A4B3DE57C3A566D3F409387D5C60E5
SHA-256:	27CD5B38801E5F3B75CA41E37EC5FC98E7D76BD55BD38DDD04A28B2A7CBA1DA5
SHA-512:	2A40BE1CCEADB5215EB51B34E8D54B0D5559A0641DDBBD6CE85760B089753489A0B0A307FB5205C9CDBD15874EE18BE9ED2D4F2D4BDE7BA5D1C426EAC2B68C11
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pnkdgk32.exe

Download File

Process:	C:\Windows\SysWOW64\Onigbk32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346052
Entropy (8bit):	5.682188116434951
Encrypted:	false
SSDEEP:	3072:FVxsLVO2SmH1k2NYKgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:FSXR1FYK1+fIyG5jZkCwi8r
MD5:	EEBAD6B46760D753660D4493EEB5AEA2
SHA1:	967A99350B35A95222401A5AAA60F9597480302F
SHA-256:	9EB99B1D99244C175351A32141E4EC77AFD6AEB1E467E3210C3AAE7C686165AC
SHA-512:	3F18E2C70E48A36D6201C3E152EC55441C2B3E9CF8493313C1796D540CEC70D980F4E1C631AC7236F3BFD382492F8C0345CE95D1583CEEFD617F37FB15FCD625
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: ditekSHen
Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.......................................................................................................................................................................text...l.......l................... ....bss.....................................data....3.......3..................@....idata..............................`....fldo............................... ..`.l1................................. ...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pppjem32.dll

Download File

Process:	C:\Windows\SysWOW64\Opldpphi.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.8623788711017264
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0TB+BDq9J5SC:8qtV0HAr4CB+FqX5SC
MD5:	29917E0D482786D92EE5166DEE48872F
SHA1:	53558E557C4EA44C74DA3EDEEB6A7703FDA8F67B
SHA-256:	43CF6D582F59597DACA9646D94522A99C5C53E2E729AE49A1432CC499520D486
SHA-512:	340277F13A468F332EFC139252EF6C65840607AB94689A4DCA09586DFB860114CF4D3A4662049510706F07F19586D38152016E307D122F0A63FB65A9D5A09134
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Qanqbgdb.dll

Download File

Process:	C:\Windows\SysWOW64\Knccbbff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6657
Entropy (8bit):	2.863093033955029
Encrypted:	false
SSDEEP:	48:6WQV5YVOqtV0H1pw9ygYVUG0ZB+BDq9J5SC:8qtV0HAr4EB+FqX5SC
MD5:	22D4C9AD657195C9D8E99A2CF80944E5
SHA1:	719C378307FBA083C54A5A635F2EF235EDA90C64
SHA-256:	F2BAA398E9FD3271018F90D013146C845D7DBC3302D64EC9872E80737FD2A665
SHA-512:	F25D09F07E6CE6CA7EEE3077567C9044297A9CD581930B6E22D3F5EB31F8986F0648C084A5BEC05ED39C3C7110B35E1F2C43F6197C34703B5007023DAC67256F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iJ.@...........!...7.....................0...............................p.......................................`..@....@..l............................P....... ..T............................................................................text............................... ..`.rdata..T.... ..T................... ..@.data........0......................@....idata..l....@..l...................`....reloc.......P...................... ....edata..@....`..@................... ..@................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.6612689717905065
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	f6t9qa761D.exe
File size:	346'052 bytes
MD5:	f66386730c3497ca644c7e77d5d793b0
SHA1:	5da659a3e0af11bc6202517eacca18f4014b705d
SHA256:	cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
SHA512:	0317f66c97bd23f87b547663cab8cbc1a9bfa6cf620ee8f05380600109ce6f319229c6950776edb3d2f705c672407c8480e44da08455f1f11e01e943ac672cac
SSDEEP:	3072:um2uO9O6VLTav239gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:tMae391+fIyG5jZkCwi8r
TLSH:	5F74B8FB5DA25F1FC41E637984ABCAC05269C45F0C76D64225782CEAB96F0823CF5E48
File Content Preview:	MZ......................@.......................................................................................................PE..L...{..]...............7.....D....................@..........................0.............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x430000
Entrypoint Section:	.fldo
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5DD70A7B [Thu Nov 21 22:06:51 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	0b36fc85e0cb5e337c80982db5210969

Entrypoint Preview

Instruction
nop
nop
pushad
nop
nop
nop
call 00007F9510BAA276h
nop
nop
nop
pop eax
nop
nop
nop
add eax, 00403DAAh
sub eax, 00403D50h
nop
nop
nop
nop
nop
mov ebx, dword ptr [eax]
mov ecx, dword ptr [eax+04h]
nop
nop
nop
nop
nop
mov edx, dword ptr [eax+08h]
nop
xor dword ptr [ebx], edx
nop
nop
nop
nop
nop
nop
add ebx, 04h
nop
cmp ebx, ecx
nop
nop
nop
nop
nop
jl 00007F9510BAA25Dh
nop
nop
nop
nop
nop
add eax, 0Ch
nop
cmp dword ptr [eax], 00000000h
nop
nop
nop
nop
jne 00007F9510BAA239h
nop
nop
nop
nop
nop
nop
nop
nop
popad
jmp 00007F9510B7B429h
add byte ptr [eax], dl
inc eax
add byte ptr [edi+ecx*4+40h], ch
add byte ptr [eax+5Eh], ch
outsb
add byte ptr [eax-1C2FFFBEh], dh
inc edx
add byte ptr [ebx+ecx*2+62h], dh
and eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
nop
nop
mov ecx, ebx
nop
nop
sub ecx, eax
nop
nop
nop
nop
xor edx, edx
nop
nop
nop
nop
nop
nop
push eax
nop
nop
nop
nop
nop
nop
nop
mov eax, ecx
nop
nop
nop
nop
div edi
nop
xchg eax, ecx
nop
nop
nop
nop
nop
nop
nop
nop
nop
pop eax
mov esi, 56C206A6h
nop
xor dword ptr [eax], esi
nop
nop
nop
nop
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31000	0x1200	.l1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31498	0x70b	.l1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7f6c	0x7f6c	950bbde3161a71380a2af8202c90b983	False	0.6269773145309626	data	7.129435722610816	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x9000	0x213b0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2b000	0x33d0	0x33d0	85a8bf9c39c0641a69681be5682e4580	False	0.42950844390832327	data	5.793359367773964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2f000	0xea4	0xea4	07503ec7be5c514cb3ab851e7b2fddc2	False	0.39567769477054426	data	5.152165428838902	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fldo	0x30000	0x1000	0x200	2e7279b6292b8fe51fe849d982db07eb	False	0.32421875	data	2.405730751649239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.l1	0x31000	0x1200	0x1200	02652d9b7d54cdf6d766c9051bdb61c4	False	0.3776041666666667	data	5.291781955696081	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ole32.DLL	CoCreateInstance, CLSIDFromString, CoInitialize, CoUninitialize
OLEAUT32.DLL	SysAllocString
WININET.DLL	DeleteUrlCacheEntry, FindFirstUrlCacheEntryA, FindNextUrlCacheEntryA
KERNEL32.DLL	ExitProcess, ExpandEnvironmentStringsA, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetExitCodeThread, GetFileSize, GetModuleFileNameA, GetModuleHandleA, CloseHandle, GetProcAddress, GetSystemDirectoryA, GetTempPathA, GetTickCount, GetVersion, GetVersionExA, GetWindowsDirectoryA, GlobalMemoryStatus, CopyFileA, InterlockedIncrement, IsBadReadPtr, IsBadWritePtr, LoadLibraryA, LocalAlloc, LocalFree, OpenMutexA, CreateFileA, ReadFile, RtlUnwind, SetFilePointer, CreateMutexA, Sleep, TerminateProcess, VirtualQuery, CreateProcessA, WaitForSingleObject, WideCharToMultiByte, WinExec, WriteFile, lstrlenA, lstrlenW, CreateThread, DeleteFileA
USER32.DLL	GetWindowTextA, GetWindowRect, FindWindowA, GetWindow, GetClassNameA, SetFocus, GetForegroundWindow, LoadCursorA, LoadIconA, SetTimer, RegisterClassA, MessageBoxA, GetMessageA, GetWindowLongA, SetWindowLongA, CreateDesktopA, SetThreadDesktop, GetThreadDesktop, TranslateMessage, DispatchMessageA, SendMessageA, PostQuitMessage, ShowWindow, CreateWindowExA, DestroyWindow, MoveWindow, DefWindowProcA, CallWindowProcA
GDI32.DLL	GetStockObject, SetBkColor, SetTextColor, CreateBrushIndirect, CreateFontA
ADVAPI32.DLL	GetUserNameA, RegCreateKeyExA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, GetSecurityInfo, SetSecurityInfo, SetEntriesInAclA
CRTDLL.DLL	__GetMainArgs, _sleep, _stricmp, atoi, exit, memcpy, memset, printf, raise, rand, signal, sprintf, srand, sscanf, strcat, strchr, strncmp, vsprintf
NTDLL.DLL	LdrUnloadDll

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 19:48:30.793437004 CEST	53	58542	1.1.1.1	192.168.2.10

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: f6t9qa761D.exePID: 7816, Parent PID: 3968

General

Target ID:	1
Start time:	13:48:15
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\f6t9qa761D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\f6t9qa761D.exe"
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	F66386730C3497CA644C7E77D5D793B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000003.1382620236.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000003.1383183359.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jagibbdg.exePID: 7860, Parent PID: 7816

General

Target ID:	2
Start time:	13:48:15
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Jagibbdg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jagibbdg.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	124816B52FD54D9C0496C6E8F1AB2A5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000003.1384605197.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000003.1383486321.0000000000517000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jagibbdg.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Jokilfca.exePID: 7876, Parent PID: 7860

General

Target ID:	3
Start time:	13:48:15
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Jokilfca.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Jokilfca.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	AC30565C2AC0057322C2E64F3CC0FBF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000003.1385339329.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000003.1385969006.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Jokilfca.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Kegnnphk.exePID: 7892, Parent PID: 7876

General

Target ID:	4
Start time:	13:48:15
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Kegnnphk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Kegnnphk.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	B001CD1D8B944653D13962490626A544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000003.1386806651.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kegnnphk.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Knccbbff.exePID: 7908, Parent PID: 7892

General

Target ID:	5
Start time:	13:48:15
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Knccbbff.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Knccbbff.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	95A1E08557C9409B202379BFA46A32FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000003.1388062598.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Knccbbff.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Kkgclgep.exePID: 7924, Parent PID: 7908

General

Target ID:	6
Start time:	13:48:16
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Kkgclgep.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Kkgclgep.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	3BF815BC7A4EF539C25284384F57B104
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000003.1388400520.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000003.1390029708.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkgclgep.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Kkipaf32.exePID: 7956, Parent PID: 7924

General

Target ID:	7
Start time:	13:48:16
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Kkipaf32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Kkipaf32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E411C0D85828BE876ADBBE5F36DE67A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000003.1396799040.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Kkipaf32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Loplncai.exePID: 7984, Parent PID: 7956

General

Target ID:	8
Start time:	13:48:16
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Loplncai.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Loplncai.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	F52EDDE5B35A8A27FA3D691183E2953B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000003.1397065400.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000003.1397600415.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Loplncai.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mlfimg32.exePID: 8000, Parent PID: 7984

General

Target ID:	9
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mlfimg32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mlfimg32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	CF46B9CAC7594BA5D4DC54F0FCD338E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000003.1398787103.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000003.1398838683.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mlfimg32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mhmiah32.exePID: 8016, Parent PID: 8000

General

Target ID:	10
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mhmiah32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mhmiah32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	55B8378BCCA0573AA52EDC94AEFDC704
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000003.1399746300.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000003.1399107397.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mhmiah32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mddjfiih.exePID: 8032, Parent PID: 8016

General

Target ID:	11
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mddjfiih.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mddjfiih.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	65A1D3054A66017AF432390EA625E50E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000003.1400431531.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000003.1400042225.0000000000586000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mddjfiih.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mbhkpnhb.exePID: 8048, Parent PID: 8032

General

Target ID:	12
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mbhkpnhb.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mbhkpnhb.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	D6E72D73103928A200613FBC2BD9111C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000003.1401384736.00000000004C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mbhkpnhb.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mkqoicnb.exePID: 8064, Parent PID: 8048

General

Target ID:	13
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mkqoicnb.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mkqoicnb.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	94197F299C36AF08D341335E816F8EEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000003.1401676955.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000003.1402396137.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mkqoicnb.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mdicai32.exePID: 8080, Parent PID: 8064

General

Target ID:	14
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mdicai32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mdicai32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	1DB703D13A41CD9D7EBDCB67FDF2E592
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000003.1403408472.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000003.1403263169.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mdicai32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Mfhplllf.exePID: 8100, Parent PID: 8080

General

Target ID:	15
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Mfhplllf.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Mfhplllf.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	26B8ED89C80AF1A6DE69F0266F739588
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000003.1403643696.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000003.1404271803.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Mfhplllf.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nncepn32.exePID: 8116, Parent PID: 8100

General

Target ID:	16
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Nncepn32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nncepn32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	B674905DB37AC8FC43BA727B14D25D04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000003.1404507070.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000003.1404835697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nncepn32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nmdeneap.exePID: 8132, Parent PID: 8116

General

Target ID:	17
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Nmdeneap.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nmdeneap.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E5F6FAFD14FBB658217EE86CBE587A03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000003.1405915319.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000003.1405881703.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nmdeneap.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nfmigk32.exePID: 8148, Parent PID: 8132

General

Target ID:	18
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Nfmigk32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nfmigk32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	94CD6FB51F256E10BA1195DD99C4B4EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000003.1406624266.0000000000617000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000003.1406660618.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nfmigk32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nnhnkmek.exePID: 8168, Parent PID: 8148

General

Target ID:	19
Start time:	13:48:17
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Nnhnkmek.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nnhnkmek.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	325DEE8246A1AC0453E99E6F61321E68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000003.1407230240.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000003.1406890372.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nnhnkmek.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ninbhfea.exePID: 8184, Parent PID: 8168

General

Target ID:	20
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Ninbhfea.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ninbhfea.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	30CE048D570516E488325C85BB935BA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000003.1408231486.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000014.00000002.1526975636.000000000042B000.00000004.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000003.1407697621.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ninbhfea.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Nfacbjdk.exePID: 7192, Parent PID: 8184

General

Target ID:	21
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Nfacbjdk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Nfacbjdk.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	DE19B82272034D866A40A521582F9F76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000003.1408558477.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000015.00000002.1526575725.000000000042B000.00000004.00000001.01000000.00000017.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000003.1409534659.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Nfacbjdk.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Npjgkp32.exePID: 7244, Parent PID: 7192

General

Target ID:	22
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Npjgkp32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Npjgkp32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	CBAD3F92CD27CB09639A094829D9F6FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000016.00000002.1526525662.000000000042B000.00000004.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000003.1410331324.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000003.1409810870.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Npjgkp32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Opldpphi.exePID: 7288, Parent PID: 7244

General

Target ID:	23
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Opldpphi.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Opldpphi.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	97E52ADC870D05ED94348D4A85F8D03D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000003.1411146589.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000003.1411099654.0000000000607000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000017.00000002.1526209069.000000000042B000.00000004.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Opldpphi.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Oiehie32.exePID: 7340, Parent PID: 7288

General

Target ID:	24
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Oiehie32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Oiehie32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	2CD525CE457D0EA53E6C18D181A357B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000018.00000002.1525964158.000000000042B000.00000004.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000018.00000003.1411928431.0000000000727000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000018.00000003.1411397694.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oiehie32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Obmmbkej.exePID: 7384, Parent PID: 7340

General

Target ID:	25
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Obmmbkej.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Obmmbkej.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	302772D04A5F8FE5E8DEE3E6C1384AD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000019.00000002.1525639358.000000000042B000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000003.1412836135.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Obmmbkej.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Oleakplj.exePID: 7432, Parent PID: 7384

General

Target ID:	26
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Oleakplj.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Oleakplj.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	30AA748393753182B4B82014D6258B66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001A.00000003.1413094066.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001A.00000002.1525532633.000000000042B000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001A.00000003.1413699839.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oleakplj.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Oiibddkd.exePID: 7476, Parent PID: 7432

General

Target ID:	27
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Oiibddkd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Oiibddkd.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	DE0F366BEE1506A5273585B95E5E39B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001B.00000003.1414686039.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001B.00000003.1414648666.0000000000827000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001B.00000002.1525316582.000000000042B000.00000004.00000001.01000000.0000001D.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Oiibddkd.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Ofmbni32.exePID: 7528, Parent PID: 7476

General

Target ID:	28
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Ofmbni32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Ofmbni32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	1CA23E4E5E376FE53DC0FFC575ED2A21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001C.00000003.1414919528.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001C.00000002.1524999550.000000000042B000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001C.00000003.1415881163.0000000000467000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Ofmbni32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Onigbk32.exePID: 7580, Parent PID: 7528

General

Target ID:	29
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Onigbk32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Onigbk32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	292610221CEC72FC244EC8366198C3AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001D.00000003.1416962414.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001D.00000002.1524873980.000000000042B000.00000004.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001D.00000003.1416821350.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Onigbk32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Pnkdgk32.exePID: 7628, Parent PID: 7580

General

Target ID:	30
Start time:	13:48:18
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Pnkdgk32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Pnkdgk32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	EEBAD6B46760D753660D4493EEB5AEA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001E.00000003.1419724385.0000000000716000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001E.00000002.1524585062.000000000042B000.00000004.00000001.01000000.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Pnkdgk32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Plaafobm.exePID: 1668, Parent PID: 7628

General

Target ID:	31
Start time:	13:48:19
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Plaafobm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Plaafobm.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	F40C40806DE4163DCD9146C24FFD4D20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 0000001F.00000002.1524475823.000000000042B000.00000004.00000001.01000000.00000021.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000001F.00000003.1424740554.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plaafobm.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Plfjan32.exePID: 1672, Parent PID: 1668

General

Target ID:	32
Start time:	13:48:19
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Plfjan32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Plfjan32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	28E65FB9EECFE082F19DDE2816479231
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000020.00000003.1426128043.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000020.00000002.1524355050.000000000042B000.00000004.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Plfjan32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Abgiogom.exePID: 2540, Parent PID: 1672

General

Target ID:	33
Start time:	13:48:19
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Abgiogom.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Abgiogom.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	5F5E82E399D074D5225D8C32138803C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000021.00000002.1524164394.000000000042B000.00000004.00000001.01000000.00000023.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000021.00000003.1426482415.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000021.00000003.1427016535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Abgiogom.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Afeaee32.exePID: 6736, Parent PID: 2540

General

Target ID:	34
Start time:	13:48:19
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Afeaee32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Afeaee32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	8B41C95F611B1B1A8C86BA70B3CC6443
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000022.00000002.1523986875.000000000042B000.00000004.00000001.01000000.00000024.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000022.00000003.1427802477.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000022.00000003.1427760940.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Afeaee32.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Apmfnklc.exePID: 5756, Parent PID: 6736

General

Target ID:	35
Start time:	13:48:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Apmfnklc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Apmfnklc.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	E102B1D30DCF3D950377A7F84B677C5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000023.00000002.1523895240.000000000042B000.00000004.00000001.01000000.00000025.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000023.00000003.1428633163.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000023.00000003.1428040087.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Apmfnklc.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Aiejgqbd.exePID: 5820, Parent PID: 5756

General

Target ID:	36
Start time:	13:48:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Aiejgqbd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Aiejgqbd.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	59BBE828FE074191C2D6054D26585CF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000024.00000002.1523678753.000000000042B000.00000004.00000001.01000000.00000026.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000024.00000003.1429745266.0000000000665000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000024.00000003.1429702535.0000000000687000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Aiejgqbd.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Abnopf32.exePID: 932, Parent PID: 5820

General

Target ID:	37
Start time:	13:48:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Abnopf32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Abnopf32.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	193316C91B9FBD583AB86986F09C4F6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000025.00000002.1523541289.000000000042B000.00000004.00000001.01000000.00000027.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000025.00000003.1430537589.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000025.00000003.1429984432.0000000000666000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Abnopf32.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Boepdgoi.exePID: 5860, Parent PID: 932

General

Target ID:	38
Start time:	13:48:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Boepdgoi.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Boepdgoi.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	B4F5C63C242907828BEEA09266B776DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000026.00000002.1523468407.000000000042B000.00000004.00000001.01000000.00000028.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000026.00000003.1431367294.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Boepdgoi.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Bmfpbogh.exePID: 6704, Parent PID: 5860

General

Target ID:	39
Start time:	13:48:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\Bmfpbogh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\Bmfpbogh.exe
Imagebase:	0x400000
File size:	346'052 bytes
MD5 hash:	B5A7058FBD260D483CAC8A6FCE0251AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Berbew, Description: Yara detected Berbew, Source: 00000027.00000002.1523166948.000000000042B000.00000004.00000001.01000000.00000029.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000027.00000003.1431993392.0000000000786000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\SysWOW64\Bmfpbogh.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: f6t9qa761D.exePID: 7816, Parent PID: 3968COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
dnkk.dll, xrefs: 00407BA7
Software\Microsoft, xrefs: 00407E24
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
3, xrefs: 00407AB6
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.dll, xrefs: 00407B41
2, xrefs: 00407ABD
surf.dat, xrefs: 00407BD4
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
kk32.vxd, xrefs: 00407B74
%s\%s.exe, xrefs: 00407AD6
kernel32.dll, xrefs: 00407DBE
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
RegisterServiceProcess, xrefs: 00407DC8
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Jagibbdg, xrefs: 00404377, 0040437C
2, xrefs: 0040431D
Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
3, xrefs: 00404316
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jagibbdg$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-524478654
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 00403DC3 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

6D43, xrefs: 00403E7D

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: 6D43
API String ID: 0-2272120732
Opcode ID: 19db3b4267267466fcd2ddfd0aaf4f61854c112a4bab500ef29b6f437dc11b4e
Instruction ID: ed2a4a0673b3cbe0cf9f0d43336b25b0feef7a6fa073c905f4e98535d57dc397
Opcode Fuzzy Hash: 19db3b4267267466fcd2ddfd0aaf4f61854c112a4bab500ef29b6f437dc11b4e
Instruction Fuzzy Hash: 2B114F6EFCE0140AC72D9C316841B77D5BA9377392F29B53A5801F3381D238CC0A408C

Function 00403CB3 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

6D43, xrefs: 00403D0D

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: 6D43
API String ID: 0-2272120732
Opcode ID: 69aff3fb20dea2b5d0b0875ef9005b4f6692fdcb809862e38d2f1d45ddb599b4
Instruction ID: 8bc5c565821a255af50f7e8b1c1fbdbf9833591184a8614d18cd10e2c6dbc39d
Opcode Fuzzy Hash: 69aff3fb20dea2b5d0b0875ef9005b4f6692fdcb809862e38d2f1d45ddb599b4
Instruction Fuzzy Hash: 02F09218F8F104068A15CD702480A73D87CDB37722F25783A5493F3343DA68CD06400C

Function 00403D50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dbce3df0654c81300a8afe9c276bb6b3e3c1a64ddc02ec2824a7a3afcc4c12
Instruction ID: 548ae9071117d7bbe8a43db882b87e4e8540575cb5e6b64c41217f31213c673e
Opcode Fuzzy Hash: 68dbce3df0654c81300a8afe9c276bb6b3e3c1a64ddc02ec2824a7a3afcc4c12
Instruction Fuzzy Hash: F9E0B636D8A2008BC7158E30D589A35FABCDB6B312F24F575C009B7266C3B8D906D51C

Function 0043000C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c017a1f3d529617283662292e1046af8cb613a5afe1235f9fc6f6dcb822433
Instruction ID: 7fe811a851544f942a95c260719f5ddc29f03ebe2a4739535f31b6cbe29c83ca
Opcode Fuzzy Hash: d9c017a1f3d529617283662292e1046af8cb613a5afe1235f9fc6f6dcb822433
Instruction Fuzzy Hash: C5E0EC3698A2008FD718CE20DA99B35F678DB6B315F24F6B5C006B7266C378D945D51C

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\Rtdx1%i.dat, xrefs: 004077DC
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
%s\cmd.exe, xrefs: 004076F2
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://konfiskat.org/index.htm, xrefs: 00407539
http://ldark.nm.ru/index.htm, xrefs: 004075A7
/, xrefs: 0040781B
http://promo.ru/index.htm, xrefs: 00407442
2, xrefs: 00407601
%s /C %s, xrefs: 00407768
http://cvv.ru/index.htm, xrefs: 0040749F
%s\cmd.pif, xrefs: 004076D6
%s\command.pif, xrefs: 00407726
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.nu/index.htm, xrefs: 004074B9
http://fethard.biz/index.htm, xrefs: 004075C1
wupd , xrefs: 0040778C
http://kavkaz.ru/index.htm, xrefs: 00407587
%s/Rtdx1%i.htm, xrefs: 00407857
\command.com, xrefs: 00407737
http://parex-bank.ru/index.htm, xrefs: 00407553
http://xware.cjb.net/index.htm, xrefs: 00407513
:%02u, xrefs: 00407682
:, xrefs: 00407654
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://crutop.ru/index.htm, xrefs: 004074DF
:, xrefs: 00407661

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Security Measures, xrefs: 0040677A
Explorer, xrefs: 004066F4
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Please fill in the correct information to verify your identity., xrefs: 004068DB
KingKarton, xrefs: 00406746
Your card number, xrefs: 00406A71
DocObject, xrefs: 004066E5
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
MasterCard, xrefs: 0040692D
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Visa, xrefs: 0040693F
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Card && expiration date, xrefs: 00406A38
ATM PIN-Code, xrefs: 00406AE3
Click Once To Continue, xrefs: 00406C0C

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://trojan.ru/index.php, xrefs: 00407271
crutop, xrefs: 0040736C
http://fuck.ru/index.php, xrefs: 00407288
http://mazafaka.ru/index.php, xrefs: 00407226
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://cvv.ru/index.php, xrefs: 00407324
http://www.redline.ru/index.php, xrefs: 0040730D
http://devx.nm.ru/index.php, xrefs: 004072D3
http://crutop.ru/index.php, xrefs: 0040720F
http://filesearch.ru/index.php, xrefs: 004072BC
http://fethard.biz/index.php, xrefs: 00407352
http://color-bank.ru/index.php, xrefs: 00407243
http://hackers.lv/index.php, xrefs: 0040733B
ofs_kk, xrefs: 00407382
http://asechka.ru/index.php, xrefs: 0040725A
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://crutop.nu/index.php, xrefs: 004071E6
http://goldensand.ru/index.php, xrefs: 004072A5

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Explorer, xrefs: 00406C58
KingKarton, xrefs: 00406CBB
Your card number, xrefs: 00406EF5
DocObject, xrefs: 00406C49
Please make corrections and try again., xrefs: 00406FDF
MasterCard, xrefs: 00406DB8
Authorization Failed., xrefs: 00406CEF
EDIT, xrefs: 0040701A, 00407050, 0040708C
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Visa, xrefs: 00406DCF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
BUTTON, xrefs: 004070C8
Card && expiration date, xrefs: 00406EB6
ATM PIN-Code, xrefs: 00406F67
Click Once To Continue, xrefs: 004070C3

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<script>, xrefs: 00405CAE
MicroSoft-Corp, xrefs: 00405BD3
function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
%sself.parent.location="%s";, xrefs: 00405D7B
<body>, xrefs: 00405C59
</head>, xrefs: 00405C1F
%s<title>%s%u</title>, xrefs: 00405BDF
<html>, xrefs: 00405ABA
%ssetTimeout("x()",%u);, xrefs: 00405E1B
</body><html>, xrefs: 00405ED6
</script>, xrefs: 00405E55
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
.htm, xrefs: 00405A9A

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
D, xrefs: 0040609F
\Iexplore.exe , xrefs: 00406048
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E
X-okRecv11, xrefs: 0040578F
Path, xrefs: 0040557E
\Iexplore.exe , xrefs: 0040561A
IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
1601, xrefs: 004053ED

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC
RtlNtStatusToDosError, xrefs: 00402AF8
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000001.00000002.1531890823.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1531784321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532010343.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532138522.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532281566.0000000000430000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532360599.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1532451400.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_f6t9qa761D.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jagibbdg.exePID: 7860, Parent PID: 7816COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kk32.dll, xrefs: 00407B41
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
surf.dat, xrefs: 00407BD4
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
3, xrefs: 00407AB6
2, xrefs: 00407ABD
kk32.vxd, xrefs: 00407B74
dnkk.dll, xrefs: 00407BA7
%s\%s.exe, xrefs: 00407AD6
RegisterServiceProcess, xrefs: 00407DC8
frm2, xrefs: 00407E1F
kernel32.dll, xrefs: 00407DBE
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
Software\Microsoft, xrefs: 00407E24

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316
Jokilfca, xrefs: 00404377, 0040437C
%s\%s.dll, xrefs: 0040433C
Apartment, xrefs: 004043EC
2, xrefs: 0040431D
CLSID\%s\InProcServer32, xrefs: 004043B2
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Jokilfca$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-4072994604
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://konfiskat.org/index.htm, xrefs: 00407539
2, xrefs: 00407601
http://promo.ru/index.htm, xrefs: 00407442
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://kavkaz.ru/index.htm, xrefs: 00407587
%s/Rtdx1%i.htm, xrefs: 00407857
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.nu/index.htm, xrefs: 004074B9
wupd , xrefs: 0040778C
http://parex-bank.ru/index.htm, xrefs: 00407553
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\Rtdx1%i.dat, xrefs: 004077DC
http://crutop.ru/index.htm, xrefs: 004074DF
http://fethard.biz/index.htm, xrefs: 004075C1
http://cvv.ru/index.htm, xrefs: 0040749F
\command.com, xrefs: 00407737
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407654
%s\command.pif, xrefs: 00407726
/, xrefs: 0040781B
:%02u, xrefs: 00407682
%s /C %s, xrefs: 00407768
:, xrefs: 00407661
http://xware.cjb.net/index.htm, xrefs: 00407513

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Card && expiration date, xrefs: 00406A38
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
KingKarton, xrefs: 00406746
ATM PIN-Code, xrefs: 00406AE3
Click Once To Continue, xrefs: 00406C0C
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Your card number, xrefs: 00406A71
Security Measures, xrefs: 0040677A
Visa, xrefs: 0040693F
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Explorer, xrefs: 004066F4
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
MasterCard, xrefs: 0040692D
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
DocObject, xrefs: 004066E5
Please fill in the correct information to verify your identity., xrefs: 004068DB
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://trojan.ru/index.php, xrefs: 00407271
http://filesearch.ru/index.php, xrefs: 004072BC
http://goldensand.ru/index.php, xrefs: 004072A5
http://mazafaka.ru/index.php, xrefs: 00407226
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://asechka.ru/index.php, xrefs: 0040725A
http://fethard.biz/index.php, xrefs: 00407352
http://color-bank.ru/index.php, xrefs: 00407243
http://cvv.ru/index.php, xrefs: 00407324
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://fuck.ru/index.php, xrefs: 00407288
crutop, xrefs: 0040736C
ofs_kk, xrefs: 00407382
http://devx.nm.ru/index.php, xrefs: 004072D3
http://hackers.lv/index.php, xrefs: 0040733B
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.nu/index.php, xrefs: 004071E6
http://crutop.ru/index.php, xrefs: 0040720F

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406EB6
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Authorization Failed., xrefs: 00406CEF
KingKarton, xrefs: 00406CBB
ATM PIN-Code, xrefs: 00406F67
Click Once To Continue, xrefs: 004070C3
Your card number, xrefs: 00406EF5
Please make corrections and try again., xrefs: 00406FDF
Visa, xrefs: 00406DCF
EDIT, xrefs: 0040701A, 00407050, 0040708C
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Explorer, xrefs: 00406C58
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
MasterCard, xrefs: 00406DB8
BUTTON, xrefs: 004070C8
DocObject, xrefs: 00406C49

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</head>, xrefs: 00405C1F
</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<body>, xrefs: 00405C59
.htm, xrefs: 00405A9A
function x(), xrefs: 00405CF7
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
<head>, xrefs: 00405B5B
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
X-okRecv11, xrefs: 004061B4
Path, xrefs: 00405FED

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700
X-okRecv11, xrefs: 0040578F
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC
NtOpenSection, xrefs: 00402AD8

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC
%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 00000002.00000002.1532015111.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1531884717.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532285107.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532453879.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532630125.0000000000430000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532734839.0000000000431000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1532855476.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Jagibbdg.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Jokilfca.exePID: 7876, Parent PID: 7860COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kernel32.dll, xrefs: 00407DBE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
3, xrefs: 00407AB6
Software\Microsoft, xrefs: 00407E24
kk32.dll, xrefs: 00407B41
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
surf.dat, xrefs: 00407BD4
dnkk.dll, xrefs: 00407BA7
kk32.vxd, xrefs: 00407B74
KingKarton_10, xrefs: 00407968, 00407D9A
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
2, xrefs: 00407ABD
frm2, xrefs: 00407E1F
RegisterServiceProcess, xrefs: 00407DC8
%s\%s.exe, xrefs: 00407AD6
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Kegnnphk, xrefs: 00404377, 0040437C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
%s\%s.dll, xrefs: 0040433C
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316
2, xrefs: 0040431D
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Kegnnphk$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1117584532
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s\Rtdx1%i.dat, xrefs: 004077DC
:%02u, xrefs: 00407682
http://kavkaz.ru/index.htm, xrefs: 00407587
http://kadet.ru/index.htm, xrefs: 00407485
%s /C %s, xrefs: 00407768
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://fethard.biz/index.htm, xrefs: 004075C1
/, xrefs: 0040781B
%s/Rtdx1%i.htm, xrefs: 00407857
http://promo.ru/index.htm, xrefs: 00407442
:, xrefs: 00407661
%s\command.pif, xrefs: 00407726
http://konfiskat.org/index.htm, xrefs: 00407539
http://parex-bank.ru/index.htm, xrefs: 00407553
:, xrefs: 00407654
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://crutop.nu/index.htm, xrefs: 004074B9
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
2, xrefs: 00407601
http://xware.cjb.net/index.htm, xrefs: 00407513
http://crutop.ru/index.htm, xrefs: 004074DF
%s\cmd.exe, xrefs: 004076F2
http://cvv.ru/index.htm, xrefs: 0040749F
%s\cmd.pif, xrefs: 004076D6
wupd , xrefs: 0040778C
\command.com, xrefs: 00407737

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Security Measures, xrefs: 0040677A
BUTTON, xrefs: 00406C11
Please fill in the correct information to verify your identity., xrefs: 004068DB
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Card && expiration date, xrefs: 00406A38
Visa, xrefs: 0040693F
MasterCard, xrefs: 0040692D
ATM PIN-Code, xrefs: 00406AE3
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Your card number, xrefs: 00406A71
Explorer, xrefs: 004066F4
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
Click Once To Continue, xrefs: 00406C0C
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Full Name, xrefs: 004069F3
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

crutop, xrefs: 0040736C
http://color-bank.ru/index.php, xrefs: 00407243
vvpupkin, xrefs: 00407367
http://crutop.ru/index.php, xrefs: 0040720F
http://hackers.lv/index.php, xrefs: 0040733B
http://fethard.biz/index.php, xrefs: 00407352
http://trojan.ru/index.php, xrefs: 00407271
http://www.redline.ru/index.php, xrefs: 0040730D
http://mazafaka.ru/index.php, xrefs: 00407226
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.nu/index.php, xrefs: 004071E6
http://goldensand.ru/index.php, xrefs: 004072A5
http://cvv.ru/index.php, xrefs: 00407324
http://asechka.ru/index.php, xrefs: 0040725A
http://filesearch.ru/index.php, xrefs: 004072BC
http://devx.nm.ru/index.php, xrefs: 004072D3
http://fuck.ru/index.php, xrefs: 00407288
http://ros-neftbank.ru/index.php, xrefs: 00407387
ofs_kk, xrefs: 00407382

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

BUTTON, xrefs: 004070C8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Card && expiration date, xrefs: 00406EB6
Visa, xrefs: 00406DCF
MasterCard, xrefs: 00406DB8
Please make corrections and try again., xrefs: 00406FDF
ATM PIN-Code, xrefs: 00406F67
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Your card number, xrefs: 00406EF5
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Explorer, xrefs: 00406C58
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
Click Once To Continue, xrefs: 004070C3
Authorization Failed., xrefs: 00406CEF
EDIT, xrefs: 0040701A, 00407050, 0040708C

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<html>, xrefs: 00405ABA
</script>, xrefs: 00405E55
<script>, xrefs: 00405CAE
<head>, xrefs: 00405B5B
MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<body>, xrefs: 00405C59
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
</body><html>, xrefs: 00405ED6
%sself.parent.location="%s";, xrefs: 00405D7B

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
X-okRecv11, xrefs: 004061B4
D, xrefs: 0040609F
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
\Iexplore.exe , xrefs: 00406048
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
MicroSoft-Corp, xrefs: 00406128

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
X-okRecv11, xrefs: 0040578F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
D, xrefs: 0040566E
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
MicroSoft-Corp, xrefs: 00405700

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413
BrowseNewProcess, xrefs: 0040542C
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

ntdll.dll, xrefs: 00402AA0
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000003.00000002.1531649860.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1531524255.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531795562.000000000042B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1531948353.000000000042F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532059371.0000000000430000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532192273.0000000000431000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.1532279851.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Jokilfca.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Kegnnphk.exePID: 7892, Parent PID: 7876COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
dnkk.dll, xrefs: 00407BA7
%s\%s.exe, xrefs: 00407AD6
2, xrefs: 00407ABD
Software\Microsoft, xrefs: 00407E24
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
kernel32.dll, xrefs: 00407DBE
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
RegisterServiceProcess, xrefs: 00407DC8
3, xrefs: 00407AB6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kk32.dll, xrefs: 00407B41
frm2, xrefs: 00407E1F
surf.dat, xrefs: 00407BD4
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton_10, xrefs: 00407968, 00407D9A

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
3, xrefs: 00404316
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC
Knccbbff, xrefs: 00404377, 0040437C

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Knccbbff$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2876935918
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s\cmd.pif, xrefs: 004076D6
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://xware.cjb.net/index.htm, xrefs: 00407513
:%02u, xrefs: 00407682
2, xrefs: 00407601
%s\Rtdx1%i.dat, xrefs: 004077DC
http://kavkaz.ru/index.htm, xrefs: 00407587
%s/Rtdx1%i.htm, xrefs: 00407857
%s /C %s, xrefs: 00407768
%s\command.pif, xrefs: 00407726
http://crutop.ru/index.htm, xrefs: 004074DF
%s\cmd.exe, xrefs: 004076F2
http://parex-bank.ru/index.htm, xrefs: 00407553
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://kadet.ru/index.htm, xrefs: 00407485
wupd , xrefs: 0040778C
http://konfiskat.org/index.htm, xrefs: 00407539
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
/, xrefs: 0040781B
\command.com, xrefs: 00407737
:, xrefs: 00407661
http://promo.ru/index.htm, xrefs: 00407442
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.nu/index.htm, xrefs: 004074B9
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://cvv.ru/index.htm, xrefs: 0040749F
http://fethard.biz/index.htm, xrefs: 004075C1
:, xrefs: 00407654

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406AAA
DocObject, xrefs: 004066E5
MasterCard, xrefs: 0040692D
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Security Measures, xrefs: 0040677A
Please fill in the correct information to verify your identity., xrefs: 004068DB
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
KingKarton, xrefs: 00406746
Click Once To Continue, xrefs: 00406C0C
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Card && expiration date, xrefs: 00406A38
ATM PIN-Code, xrefs: 00406AE3
Your card number, xrefs: 00406A71
Full Name, xrefs: 004069F3
Visa, xrefs: 0040693F
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Explorer, xrefs: 004066F4
BUTTON, xrefs: 00406C11
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fuck.ru/index.php, xrefs: 00407288
http://www.redline.ru/index.php, xrefs: 0040730D
http://trojan.ru/index.php, xrefs: 00407271
http://filesearch.ru/index.php, xrefs: 004072BC
http://goldensand.ru/index.php, xrefs: 004072A5
http://fethard.biz/index.php, xrefs: 00407352
http://cvv.ru/index.php, xrefs: 00407324
http://crutop.nu/index.php, xrefs: 004071E6
http://asechka.ru/index.php, xrefs: 0040725A
crutop, xrefs: 0040736C
http://hackers.lv/index.php, xrefs: 0040733B
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://mazafaka.ru/index.php, xrefs: 00407226
http://color-bank.ru/index.php, xrefs: 00407243
vvpupkin, xrefs: 00407367
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://crutop.ru/index.php, xrefs: 0040720F

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

3-digit validation code on back of card (cvv2), xrefs: 00406F2E
DocObject, xrefs: 00406C49
MasterCard, xrefs: 00406DB8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
KingKarton, xrefs: 00406CBB
Click Once To Continue, xrefs: 004070C3
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Card && expiration date, xrefs: 00406EB6
ATM PIN-Code, xrefs: 00406F67
Your card number, xrefs: 00406EF5
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Authorization Failed., xrefs: 00406CEF
Visa, xrefs: 00406DCF
Explorer, xrefs: 00406C58
BUTTON, xrefs: 004070C8
EDIT, xrefs: 0040701A, 00407050, 0040708C

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
.htm, xrefs: 00405A9A
<html>, xrefs: 00405ABA
function x(), xrefs: 00405CF7
<body>, xrefs: 00405C59
<script>, xrefs: 00405CAE
</body><html>, xrefs: 00405ED6
%sself.parent.location="%s";, xrefs: 00405D7B
<head>, xrefs: 00405B5B
MicroSoft-Corp, xrefs: 00405BD3
%s<title>%s%u</title>, xrefs: 00405BDF
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
Path, xrefs: 00405FED
D, xrefs: 0040609F
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
MicroSoft-Corp, xrefs: 00406128
\Iexplore.exe , xrefs: 00406048
X-okRecv11, xrefs: 004061B4
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
Path, xrefs: 0040557E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
MicroSoft-Corp, xrefs: 00405700
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC
ntdll.dll, xrefs: 00402AA0
NtUnmapViewOfSection, xrefs: 00402ABC
RtlNtStatusToDosError, xrefs: 00402AF8

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 00000004.00000002.1531356208.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1531225968.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531486452.000000000042B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531624645.000000000042F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531754610.0000000000430000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1531880766.0000000000431000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1532006849.0000000000432000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Kegnnphk.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Knccbbff.exePID: 7908, Parent PID: 7892COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

dnkk.dll, xrefs: 00407BA7
3, xrefs: 00407AB6
KingKarton_10, xrefs: 00407968, 00407D9A
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
RegisterServiceProcess, xrefs: 00407DC8
kk32.dll, xrefs: 00407B41
2, xrefs: 00407ABD
%s\%s.exe, xrefs: 00407AD6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kernel32.dll, xrefs: 00407DBE
Software\Microsoft, xrefs: 00407E24
frm2, xrefs: 00407E1F
surf.dat, xrefs: 00407BD4
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

%s\%s.dll, xrefs: 0040433C
CLSID\%s\InProcServer32, xrefs: 004043B2
ThreadingModel, xrefs: 004043F1
2, xrefs: 0040431D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Kkgclgep, xrefs: 00404377, 0040437C
3, xrefs: 00404316
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Kkgclgep$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3544764926
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

\command.com, xrefs: 00407737
%s/Rtdx1%i.htm, xrefs: 00407857
wupd , xrefs: 0040778C
%s\cmd.pif, xrefs: 004076D6
:%02u, xrefs: 00407682
http://kidos-bank.ru/index.htm, xrefs: 0040756D
:, xrefs: 00407661
http://xware.cjb.net/index.htm, xrefs: 00407513
http://kadet.ru/index.htm, xrefs: 00407485
http://crutop.ru/index.htm, xrefs: 004074DF
http://fethard.biz/index.htm, xrefs: 004075C1
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://cvv.ru/index.htm, xrefs: 0040749F
http://parex-bank.ru/index.htm, xrefs: 00407553
%s /C %s, xrefs: 00407768
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s\Rtdx1%i.dat, xrefs: 004077DC
http://konfiskat.org/index.htm, xrefs: 00407539
http://promo.ru/index.htm, xrefs: 00407442
%s\command.pif, xrefs: 00407726
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://crutop.nu/index.htm, xrefs: 004074B9
:, xrefs: 00407654
/, xrefs: 0040781B
http://kavkaz.ru/index.htm, xrefs: 00407587
%s\cmd.exe, xrefs: 004076F2
2, xrefs: 00407601

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406A38
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Click Once To Continue, xrefs: 00406C0C
Visa, xrefs: 0040693F
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Explorer, xrefs: 004066F4
MasterCard, xrefs: 0040692D
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Your card number, xrefs: 00406A71
ATM PIN-Code, xrefs: 00406AE3
DocObject, xrefs: 004066E5
Please fill in the correct information to verify your identity., xrefs: 004068DB
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Full Name, xrefs: 004069F3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Security Measures, xrefs: 0040677A
KingKarton, xrefs: 00406746
BUTTON, xrefs: 00406C11

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://filesearch.ru/index.php, xrefs: 004072BC
vvpupkin, xrefs: 00407367
http://crutop.ru/index.php, xrefs: 0040720F
http://crutop.nu/index.php, xrefs: 004071E6
crutop, xrefs: 0040736C
http://fuck.ru/index.php, xrefs: 00407288
http://color-bank.ru/index.php, xrefs: 00407243
http://fethard.biz/index.php, xrefs: 00407352
http://trojan.ru/index.php, xrefs: 00407271
http://asechka.ru/index.php, xrefs: 0040725A
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://hackers.lv/index.php, xrefs: 0040733B
http://cvv.ru/index.php, xrefs: 00407324
ofs_kk, xrefs: 00407382
http://goldensand.ru/index.php, xrefs: 004072A5
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://www.redline.ru/index.php, xrefs: 0040730D
http://mazafaka.ru/index.php, xrefs: 00407226
http://devx.nm.ru/index.php, xrefs: 004072D3

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Authorization Failed., xrefs: 00406CEF
Card && expiration date, xrefs: 00406EB6
EDIT, xrefs: 0040701A, 00407050, 0040708C
Click Once To Continue, xrefs: 004070C3
Visa, xrefs: 00406DCF
Explorer, xrefs: 00406C58
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Your card number, xrefs: 00406EF5
ATM PIN-Code, xrefs: 00406F67
DocObject, xrefs: 00406C49
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Please make corrections and try again., xrefs: 00406FDF
KingKarton, xrefs: 00406CBB
BUTTON, xrefs: 004070C8

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
.htm, xrefs: 00405A9A
</head>, xrefs: 00405C1F
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
%s<title>%s%u</title>, xrefs: 00405BDF
function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
%sself.parent.location="%s";, xrefs: 00405D7B
<body>, xrefs: 00405C59
MicroSoft-Corp, xrefs: 00405BD3

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
Path, xrefs: 00405FED
IEFrame, xrefs: 0040615D
D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
Path, xrefs: 0040557E
IEFrame, xrefs: 0040572F
X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
MicroSoft-Corp, xrefs: 00405700

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
GlobalUserOffline, xrefs: 00405413
1601, xrefs: 004053ED
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtUnmapViewOfSection, xrefs: 00402ABC
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000005.00000002.1531107524.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1530982510.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531230341.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531381887.000000000042F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531517225.0000000000430000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531659473.0000000000431000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1531798581.0000000000432000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Knccbbff.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Kkgclgep.exePID: 7924, Parent PID: 7908COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

3, xrefs: 00407AB6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
dnkk.dll, xrefs: 00407BA7
kk32.vxd, xrefs: 00407B74
kk32.dll, xrefs: 00407B41
surf.dat, xrefs: 00407BD4
Software\Microsoft, xrefs: 00407E24
kernel32.dll, xrefs: 00407DBE
frm2, xrefs: 00407E1F
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
2, xrefs: 00407ABD
RegisterServiceProcess, xrefs: 00407DC8
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
KingKarton_10, xrefs: 00407968, 00407D9A
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
%s\%s.exe, xrefs: 00407AD6

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
2, xrefs: 0040431D
CLSID\%s\InProcServer32, xrefs: 004043B2
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC
Kkipaf32, xrefs: 00404377, 0040437C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
3, xrefs: 00404316
%s\%s.dll, xrefs: 0040433C

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Kkipaf32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3882792611
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

9D ', xrefs: 004040AB, 0040411B, 0040417A, 004041DC

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: 9D '
API String ID: 0-3950697698
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 00401219 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

8-L, xrefs: 00401253

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: 8-L
API String ID: 0-2323200622
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

8-L, xrefs: 00401253

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: 8-L
API String ID: 0-2323200622
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

/, xrefs: 0040781B
\command.com, xrefs: 00407737
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://parex-bank.ru/index.htm, xrefs: 00407553
:, xrefs: 00407661
:%02u, xrefs: 00407682
%s /C %s, xrefs: 00407768
http://cvv.ru/index.htm, xrefs: 0040749F
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://xware.cjb.net/index.htm, xrefs: 00407513
http://crutop.nu/index.htm, xrefs: 004074B9
http://fethard.biz/index.htm, xrefs: 004075C1
http://kadet.ru/index.htm, xrefs: 00407485
%s/Rtdx1%i.htm, xrefs: 00407857
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://konfiskat.org/index.htm, xrefs: 00407539
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://promo.ru/index.htm, xrefs: 00407442
%s\Rtdx1%i.dat, xrefs: 004077DC
http://crutop.ru/index.htm, xrefs: 004074DF
http://mazafaka.ru/index.htm, xrefs: 004074F9
2, xrefs: 00407601
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407654
%s\command.pif, xrefs: 00407726
%s\cmd.exe, xrefs: 004076F2
wupd , xrefs: 0040778C

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Explorer, xrefs: 004066F4
Click Once To Continue, xrefs: 00406C0C
Please fill in the correct information to verify your identity., xrefs: 004068DB
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Full Name, xrefs: 004069F3
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Security Measures, xrefs: 0040677A
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Visa, xrefs: 0040693F
KingKarton, xrefs: 00406746
BUTTON, xrefs: 00406C11
Card && expiration date, xrefs: 00406A38
DocObject, xrefs: 004066E5
ATM PIN-Code, xrefs: 00406AE3
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Your card number, xrefs: 00406A71
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fethard.biz/index.php, xrefs: 00407352
http://filesearch.ru/index.php, xrefs: 004072BC
http://www.redline.ru/index.php, xrefs: 0040730D
http://asechka.ru/index.php, xrefs: 0040725A
http://color-bank.ru/index.php, xrefs: 00407243
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.ru/index.php, xrefs: 0040720F
http://trojan.ru/index.php, xrefs: 00407271
http://goldensand.ru/index.php, xrefs: 004072A5
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://crutop.nu/index.php, xrefs: 004071E6
http://fuck.ru/index.php, xrefs: 00407288
http://mazafaka.ru/index.php, xrefs: 00407226
http://cvv.ru/index.php, xrefs: 00407324
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382
crutop, xrefs: 0040736C
http://hackers.lv/index.php, xrefs: 0040733B

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Click Once To Continue, xrefs: 004070C3
Explorer, xrefs: 00406C58
MasterCard, xrefs: 00406DB8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Visa, xrefs: 00406DCF
KingKarton, xrefs: 00406CBB
BUTTON, xrefs: 004070C8
Card && expiration date, xrefs: 00406EB6
Authorization Failed., xrefs: 00406CEF
DocObject, xrefs: 00406C49
ATM PIN-Code, xrefs: 00406F67
Your card number, xrefs: 00406EF5
EDIT, xrefs: 0040701A, 00407050, 0040708C

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</head>, xrefs: 00405C1F
<html>, xrefs: 00405ABA
%s<title>%s%u</title>, xrefs: 00405BDF
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<body>, xrefs: 00405C59
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
MicroSoft-Corp, xrefs: 00405BD3
%sself.parent.location="%s";, xrefs: 00405D7B
%ssetTimeout("x()",%u);, xrefs: 00405E1B
function x(), xrefs: 00405CF7
.htm, xrefs: 00405A9A
<script>, xrefs: 00405CAE
</script>, xrefs: 00405E55

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 004061B4
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Path, xrefs: 00405FED
D, xrefs: 0040609F
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 0040578F
D, xrefs: 0040566E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
Path, xrefs: 0040557E
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

GlobalUserOffline, xrefs: 00405413
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 00000006.00000002.1530977726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1530851072.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531104979.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531232865.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531366288.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531491571.0000000000431000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1531626096.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Kkgclgep.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Kkipaf32.exePID: 7956, Parent PID: 7924COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s.exe, xrefs: 00407AD6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kernel32.dll, xrefs: 00407DBE
3, xrefs: 00407AB6
kk32.vxd, xrefs: 00407B74
Software\Microsoft, xrefs: 00407E24
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
surf.dat, xrefs: 00407BD4
KingKarton_10, xrefs: 00407968, 00407D9A
dnkk.dll, xrefs: 00407BA7
2, xrefs: 00407ABD
RegisterServiceProcess, xrefs: 00407DC8
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
%s\%s.dll, xrefs: 0040433C
Apartment, xrefs: 004043EC
2, xrefs: 0040431D
3, xrefs: 00404316
ThreadingModel, xrefs: 004043F1
Web Event Logger, xrefs: 00404408
Loplncai, xrefs: 00404377, 0040437C
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Loplncai$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-574681151
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 00407415
http://kadet.ru/index.htm, xrefs: 00407485
%s\cmd.pif, xrefs: 004076D6
http://parex-bank.ru/index.htm, xrefs: 00407553
:, xrefs: 00407661
\command.com, xrefs: 00407737
2, xrefs: 00407601
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
:%02u, xrefs: 00407682
http://crutop.ru/index.htm, xrefs: 004074DF
%s\Rtdx1%i.dat, xrefs: 004077DC
%s/Rtdx1%i.htm, xrefs: 00407857
/, xrefs: 0040781B
wupd , xrefs: 0040778C
http://promo.ru/index.htm, xrefs: 00407442
%s\cmd.exe, xrefs: 004076F2
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407654
http://cvv.ru/index.htm, xrefs: 0040749F
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://crutop.nu/index.htm, xrefs: 004074B9
http://fethard.biz/index.htm, xrefs: 004075C1
%s /C %s, xrefs: 00407768
%s\command.pif, xrefs: 00407726
http://xware.cjb.net/index.htm, xrefs: 00407513
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://konfiskat.org/index.htm, xrefs: 00407539
http://mazafaka.ru/index.htm, xrefs: 004074F9

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
KingKarton, xrefs: 00406746
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Card && expiration date, xrefs: 00406A38
Explorer, xrefs: 004066F4
ATM PIN-Code, xrefs: 00406AE3
Visa, xrefs: 0040693F
DocObject, xrefs: 004066E5
MasterCard, xrefs: 0040692D
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Full Name, xrefs: 004069F3
Security Measures, xrefs: 0040677A
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Your card number, xrefs: 00406A71
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Click Once To Continue, xrefs: 00406C0C
BUTTON, xrefs: 00406C11
Please fill in the correct information to verify your identity., xrefs: 004068DB
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

crutop, xrefs: 0040736C
http://crutop.nu/index.php, xrefs: 004071E6
http://color-bank.ru/index.php, xrefs: 00407243
ofs_kk, xrefs: 00407382
http://hackers.lv/index.php, xrefs: 0040733B
http://www.redline.ru/index.php, xrefs: 0040730D
vvpupkin, xrefs: 00407367
http://trojan.ru/index.php, xrefs: 00407271
http://mazafaka.ru/index.php, xrefs: 00407226
http://fuck.ru/index.php, xrefs: 00407288
http://goldensand.ru/index.php, xrefs: 004072A5
http://crutop.ru/index.php, xrefs: 0040720F
http://fethard.biz/index.php, xrefs: 00407352
http://cvv.ru/index.php, xrefs: 00407324
http://devx.nm.ru/index.php, xrefs: 004072D3
http://asechka.ru/index.php, xrefs: 0040725A
http://filesearch.ru/index.php, xrefs: 004072BC
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://lovingod.host.sk/index.php, xrefs: 004072EA

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406CBB
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Card && expiration date, xrefs: 00406EB6
Authorization Failed., xrefs: 00406CEF
Explorer, xrefs: 00406C58
ATM PIN-Code, xrefs: 00406F67
Visa, xrefs: 00406DCF
DocObject, xrefs: 00406C49
MasterCard, xrefs: 00406DB8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
EDIT, xrefs: 0040701A, 00407050, 0040708C
Your card number, xrefs: 00406EF5
Click Once To Continue, xrefs: 004070C3
BUTTON, xrefs: 004070C8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<head>, xrefs: 00405B5B
.htm, xrefs: 00405A9A
%sself.parent.location="%s";, xrefs: 00405D7B
MicroSoft-Corp, xrefs: 00405BD3
%s<title>%s%u</title>, xrefs: 00405BDF
<body>, xrefs: 00405C59
%ssetTimeout("x()",%u);, xrefs: 00405E1B
function x(), xrefs: 00405CF7
</head>, xrefs: 00405C1F
<script>, xrefs: 00405CAE
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</body><html>, xrefs: 00405ED6

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128
Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
\Iexplore.exe , xrefs: 00406048
X-okRecv11, xrefs: 004061B4

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
MicroSoft-Corp, xrefs: 00405700
D, xrefs: 0040566E
Path, xrefs: 0040557E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
\Iexplore.exe , xrefs: 0040561A
X-okRecv11, xrefs: 0040578F

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

BrowseNewProcess, xrefs: 0040542C
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
NtMapViewOfSection, xrefs: 00402AE8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000007.00000002.1530721982.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1530612959.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530845772.000000000042B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1530983856.000000000042F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531103306.0000000000430000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531231090.0000000000431000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1531359264.0000000000432000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Kkipaf32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Loplncai.exePID: 7984, Parent PID: 7956COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kk32.vxd, xrefs: 00407B74
dnkk.dll, xrefs: 00407BA7
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s.exe, xrefs: 00407AD6
RegisterServiceProcess, xrefs: 00407DC8
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kk32.dll, xrefs: 00407B41
kernel32.dll, xrefs: 00407DBE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
KingKarton_10, xrefs: 00407968, 00407D9A
frm2, xrefs: 00407E1F
3, xrefs: 00407AB6
surf.dat, xrefs: 00407BD4
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
2, xrefs: 00407ABD
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
2, xrefs: 0040431D
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
%s\%s.dll, xrefs: 0040433C
Mlfimg32, xrefs: 00404377, 0040437C
CLSID\%s\InProcServer32, xrefs: 004043B2
3, xrefs: 00404316

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mlfimg32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-619183538
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

1X+, xrefs: 004040AB, 0040411B, 0040417A, 004041DC

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: 1X+
API String ID: 0-3410899031
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://fethard.biz/index.htm, xrefs: 004075C1
%s\cmd.exe, xrefs: 004076F2
%s\Rtdx1%i.dat, xrefs: 004077DC
:, xrefs: 00407654
/, xrefs: 0040781B
2, xrefs: 00407601
http://konfiskat.org/index.htm, xrefs: 00407539
http://ldark.nm.ru/index.htm, xrefs: 004075A7
\command.com, xrefs: 00407737
:, xrefs: 00407661
%s\cmd.pif, xrefs: 004076D6
http://kadet.ru/index.htm, xrefs: 00407485
http://parex-bank.ru/index.htm, xrefs: 00407553
http://xware.cjb.net/index.htm, xrefs: 00407513
%s/Rtdx1%i.htm, xrefs: 00407857
wupd , xrefs: 0040778C
%s\command.pif, xrefs: 00407726
%s /C %s, xrefs: 00407768
http://crutop.nu/index.htm, xrefs: 004074B9
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://promo.ru/index.htm, xrefs: 00407442
:%02u, xrefs: 00407682
http://cvv.ru/index.htm, xrefs: 0040749F
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.ru/index.htm, xrefs: 004074DF
http://kavkaz.ru/index.htm, xrefs: 00407587
http://kidos-bank.ru/index.htm, xrefs: 0040756D

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Card && expiration date, xrefs: 00406A38
KingKarton, xrefs: 00406746
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Your card number, xrefs: 00406A71
Security Measures, xrefs: 0040677A
Click Once To Continue, xrefs: 00406C0C
Full Name, xrefs: 004069F3
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
BUTTON, xrefs: 00406C11
Visa, xrefs: 0040693F
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
DocObject, xrefs: 004066E5
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Explorer, xrefs: 004066F4
ATM PIN-Code, xrefs: 00406AE3
Please fill in the correct information to verify your identity., xrefs: 004068DB

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.php, xrefs: 00407226
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.ru/index.php, xrefs: 0040720F
http://devx.nm.ru/index.php, xrefs: 004072D3
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://hackers.lv/index.php, xrefs: 0040733B
http://trojan.ru/index.php, xrefs: 00407271
crutop, xrefs: 0040736C
ofs_kk, xrefs: 00407382
http://fethard.biz/index.php, xrefs: 00407352
http://asechka.ru/index.php, xrefs: 0040725A
http://goldensand.ru/index.php, xrefs: 004072A5
http://fuck.ru/index.php, xrefs: 00407288
http://www.redline.ru/index.php, xrefs: 0040730D
http://cvv.ru/index.php, xrefs: 00407324
vvpupkin, xrefs: 00407367
http://crutop.nu/index.php, xrefs: 004071E6
http://ros-neftbank.ru/index.php, xrefs: 00407387

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

EDIT, xrefs: 0040701A, 00407050, 0040708C
Card && expiration date, xrefs: 00406EB6
KingKarton, xrefs: 00406CBB
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Authorization Failed., xrefs: 00406CEF
Your card number, xrefs: 00406EF5
Please make corrections and try again., xrefs: 00406FDF
Click Once To Continue, xrefs: 004070C3
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
BUTTON, xrefs: 004070C8
Visa, xrefs: 00406DCF
DocObject, xrefs: 00406C49
MasterCard, xrefs: 00406DB8
Explorer, xrefs: 00406C58
ATM PIN-Code, xrefs: 00406F67

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
<body>, xrefs: 00405C59
<head>, xrefs: 00405B5B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<script>, xrefs: 00405CAE
function x(), xrefs: 00405CF7
MicroSoft-Corp, xrefs: 00405BD3
.htm, xrefs: 00405A9A
</head>, xrefs: 00405C1F
</body><html>, xrefs: 00405ED6
<html>, xrefs: 00405ABA
</script>, xrefs: 00405E55
%ssetTimeout("x()",%u);, xrefs: 00405E1B

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
MicroSoft-Corp, xrefs: 00406128
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
Path, xrefs: 00405FED
X-okRecv11, xrefs: 004061B4
IEFrame, xrefs: 0040615D
\Iexplore.exe , xrefs: 00406048

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E
Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
IEFrame, xrefs: 0040572F
\Iexplore.exe , xrefs: 0040561A

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

1601, xrefs: 004053ED
yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

ntdll.dll, xrefs: 00402AA0
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 00000008.00000002.1530600283.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1530477866.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530709926.000000000042B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530852580.000000000042F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1530982571.0000000000430000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531097773.0000000000431000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1531222354.0000000000432000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Loplncai.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mlfimg32.exePID: 8000, Parent PID: 7984COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kk32.vxd, xrefs: 00407B74
2, xrefs: 00407ABD
dnkk.dll, xrefs: 00407BA7
Software\Microsoft, xrefs: 00407E24
3, xrefs: 00407AB6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
%s\%s.exe, xrefs: 00407AD6
frm2, xrefs: 00407E1F
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kk32.dll, xrefs: 00407B41
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
KingKarton_10, xrefs: 00407968, 00407D9A
surf.dat, xrefs: 00407BD4
kernel32.dll, xrefs: 00407DBE
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
RegisterServiceProcess, xrefs: 00407DC8

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
Mhmiah32, xrefs: 00404377, 0040437C
3, xrefs: 00404316
Apartment, xrefs: 004043EC

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mhmiah32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2221200865
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

\command.com, xrefs: 00407737
:, xrefs: 00407661
http://parex-bank.ru/index.htm, xrefs: 00407553
wupd , xrefs: 0040778C
http://crutop.nu/index.htm, xrefs: 004074B9
%s\Rtdx1%i.dat, xrefs: 004077DC
http://kadet.ru/index.htm, xrefs: 00407485
:%02u, xrefs: 00407682
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s\command.pif, xrefs: 00407726
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s\cmd.exe, xrefs: 004076F2
/, xrefs: 0040781B
http://crutop.ru/index.htm, xrefs: 004074DF
http://cvv.ru/index.htm, xrefs: 0040749F
http://konfiskat.org/index.htm, xrefs: 00407539
http://fethard.biz/index.htm, xrefs: 004075C1
http://xware.cjb.net/index.htm, xrefs: 00407513
%s /C %s, xrefs: 00407768
%s\cmd.pif, xrefs: 004076D6
http://promo.ru/index.htm, xrefs: 00407442
http://ldark.nm.ru/index.htm, xrefs: 004075A7
2, xrefs: 00407601
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407654
%s/Rtdx1%i.htm, xrefs: 00407857

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Your card number, xrefs: 00406A71
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Card && expiration date, xrefs: 00406A38
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Security Measures, xrefs: 0040677A
Click Once To Continue, xrefs: 00406C0C
ATM PIN-Code, xrefs: 00406AE3
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
BUTTON, xrefs: 00406C11
DocObject, xrefs: 004066E5
MasterCard, xrefs: 0040692D
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Full Name, xrefs: 004069F3
KingKarton, xrefs: 00406746
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Visa, xrefs: 0040693F
Please fill in the correct information to verify your identity., xrefs: 004068DB
Explorer, xrefs: 004066F4

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://hackers.lv/index.php, xrefs: 0040733B
http://fuck.ru/index.php, xrefs: 00407288
crutop, xrefs: 0040736C
http://color-bank.ru/index.php, xrefs: 00407243
ofs_kk, xrefs: 00407382
http://crutop.nu/index.php, xrefs: 004071E6
http://filesearch.ru/index.php, xrefs: 004072BC
http://devx.nm.ru/index.php, xrefs: 004072D3
http://goldensand.ru/index.php, xrefs: 004072A5
http://www.redline.ru/index.php, xrefs: 0040730D
http://mazafaka.ru/index.php, xrefs: 00407226
http://asechka.ru/index.php, xrefs: 0040725A
http://crutop.ru/index.php, xrefs: 0040720F
http://trojan.ru/index.php, xrefs: 00407271
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://fethard.biz/index.php, xrefs: 00407352
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://cvv.ru/index.php, xrefs: 00407324
vvpupkin, xrefs: 00407367

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Your card number, xrefs: 00406EF5
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
EDIT, xrefs: 0040701A, 00407050, 0040708C
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Card && expiration date, xrefs: 00406EB6
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
ATM PIN-Code, xrefs: 00406F67
BUTTON, xrefs: 004070C8
DocObject, xrefs: 00406C49
MasterCard, xrefs: 00406DB8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
KingKarton, xrefs: 00406CBB
Visa, xrefs: 00406DCF
Authorization Failed., xrefs: 00406CEF
Please make corrections and try again., xrefs: 00406FDF
Explorer, xrefs: 00406C58

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</head>, xrefs: 00405C1F
<head>, xrefs: 00405B5B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<script>, xrefs: 00405CAE
<body>, xrefs: 00405C59
MicroSoft-Corp, xrefs: 00405BD3
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
</body><html>, xrefs: 00405ED6
.htm, xrefs: 00405A9A
%s<title>%s%u</title>, xrefs: 00405BDF
function x(), xrefs: 00405CF7
%sself.parent.location="%s";, xrefs: 00405D7B

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 004061B4
\Iexplore.exe , xrefs: 00406048
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
IEFrame, xrefs: 0040615D
Path, xrefs: 00405FED
D, xrefs: 0040609F
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
Path, xrefs: 0040557E
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0
RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
RtlNtStatusToDosError, xrefs: 00402AF8

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2

Memory Dump Source

Source File: 00000009.00000002.1530375985.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1530238938.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530482046.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530604281.000000000042F000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530720820.0000000000430000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530845308.0000000000431000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1530975300.0000000000432000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Mlfimg32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mhmiah32.exePID: 8016, Parent PID: 8000COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kernel32.dll, xrefs: 00407DBE
RegisterServiceProcess, xrefs: 00407DC8
%s\%s.exe, xrefs: 00407AD6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
Software\Microsoft, xrefs: 00407E24
dnkk.dll, xrefs: 00407BA7
2, xrefs: 00407ABD
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
kk32.vxd, xrefs: 00407B74
3, xrefs: 00407AB6
KingKarton_10, xrefs: 00407968, 00407D9A
surf.dat, xrefs: 00407BD4
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316
Web Event Logger, xrefs: 00404408
%s\%s.dll, xrefs: 0040433C
Mddjfiih, xrefs: 00404377, 0040437C
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Apartment, xrefs: 004043EC

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mddjfiih$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1446861165
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s/Rtdx1%i.htm, xrefs: 00407857
:, xrefs: 00407661
http://fethard.biz/index.htm, xrefs: 004075C1
http://crutop.ru/index.htm, xrefs: 004074DF
%s\cmd.exe, xrefs: 004076F2
http://kavkaz.ru/index.htm, xrefs: 00407587
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 00407415
\command.com, xrefs: 00407737
%s\Rtdx1%i.dat, xrefs: 004077DC
%s\command.pif, xrefs: 00407726
2, xrefs: 00407601
http://crutop.nu/index.htm, xrefs: 004074B9
:%02u, xrefs: 00407682
http://kadet.ru/index.htm, xrefs: 00407485
http://cvv.ru/index.htm, xrefs: 0040749F
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://promo.ru/index.htm, xrefs: 00407442
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://parex-bank.ru/index.htm, xrefs: 00407553
wupd , xrefs: 0040778C
http://konfiskat.org/index.htm, xrefs: 00407539
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
:, xrefs: 00407654
%s /C %s, xrefs: 00407768
/, xrefs: 0040781B

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Please fill in the correct information to verify your identity., xrefs: 004068DB
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Click Once To Continue, xrefs: 00406C0C
Visa, xrefs: 0040693F
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
DocObject, xrefs: 004066E5
Card && expiration date, xrefs: 00406A38
BUTTON, xrefs: 00406C11
Full Name, xrefs: 004069F3
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Explorer, xrefs: 004066F4
ATM PIN-Code, xrefs: 00406AE3
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Security Measures, xrefs: 0040677A
Your card number, xrefs: 00406A71
MasterCard, xrefs: 0040692D
KingKarton, xrefs: 00406746

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://color-bank.ru/index.php, xrefs: 00407243
ofs_kk, xrefs: 00407382
http://filesearch.ru/index.php, xrefs: 004072BC
http://hackers.lv/index.php, xrefs: 0040733B
http://devx.nm.ru/index.php, xrefs: 004072D3
http://www.redline.ru/index.php, xrefs: 0040730D
http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://trojan.ru/index.php, xrefs: 00407271
http://crutop.ru/index.php, xrefs: 0040720F
http://fuck.ru/index.php, xrefs: 00407288
http://asechka.ru/index.php, xrefs: 0040725A
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://goldensand.ru/index.php, xrefs: 004072A5
http://crutop.nu/index.php, xrefs: 004071E6
http://cvv.ru/index.php, xrefs: 00407324
vvpupkin, xrefs: 00407367
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://mazafaka.ru/index.php, xrefs: 00407226

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Click Once To Continue, xrefs: 004070C3
Visa, xrefs: 00406DCF
Please make corrections and try again., xrefs: 00406FDF
DocObject, xrefs: 00406C49
Card && expiration date, xrefs: 00406EB6
BUTTON, xrefs: 004070C8
EDIT, xrefs: 0040701A, 00407050, 0040708C
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Explorer, xrefs: 00406C58
ATM PIN-Code, xrefs: 00406F67
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Your card number, xrefs: 00406EF5
MasterCard, xrefs: 00406DB8
Authorization Failed., xrefs: 00406CEF
KingKarton, xrefs: 00406CBB

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<body>, xrefs: 00405C59
<script>, xrefs: 00405CAE
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%sself.parent.location="%s";, xrefs: 00405D7B
%s<title>%s%u</title>, xrefs: 00405BDF
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
</head>, xrefs: 00405C1F
.htm, xrefs: 00405A9A
<head>, xrefs: 00405B5B
MicroSoft-Corp, xrefs: 00405BD3
</body><html>, xrefs: 00405ED6
function x(), xrefs: 00405CF7

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
\Iexplore.exe , xrefs: 00406048
Path, xrefs: 00405FED
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
MicroSoft-Corp, xrefs: 00406128
X-okRecv11, xrefs: 004061B4
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
D, xrefs: 0040609F

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E
D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700
X-okRecv11, xrefs: 0040578F
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

GlobalUserOffline, xrefs: 00405413
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 0000000A.00000002.1530034666.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1529934564.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530139190.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530223463.000000000042F000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530375558.0000000000430000.00000020.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530475492.0000000000431000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1530606933.0000000000432000.00000080.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Mhmiah32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mddjfiih.exePID: 8032, Parent PID: 8016COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

dnkk.dll, xrefs: 00407BA7
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
3, xrefs: 00407AB6
%s\%s.exe, xrefs: 00407AD6
kk32.dll, xrefs: 00407B41
kernel32.dll, xrefs: 00407DBE
surf.dat, xrefs: 00407BD4
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
RegisterServiceProcess, xrefs: 00407DC8
kk32.vxd, xrefs: 00407B74
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
frm2, xrefs: 00407E1F
KingKarton_10, xrefs: 00407968, 00407D9A
2, xrefs: 00407ABD
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Mbhkpnhb, xrefs: 00404377, 0040437C
Web Event Logger, xrefs: 00404408
3, xrefs: 00404316
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
Apartment, xrefs: 004043EC
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mbhkpnhb$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1407755891
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://kavkaz.ru/index.htm, xrefs: 00407587
http://fethard.biz/index.htm, xrefs: 004075C1
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://crutop.ru/index.htm, xrefs: 004074DF
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
wupd , xrefs: 0040778C
2, xrefs: 00407601
:, xrefs: 00407654
http://cvv.ru/index.htm, xrefs: 0040749F
http://crutop.nu/index.htm, xrefs: 004074B9
http://konfiskat.org/index.htm, xrefs: 00407539
http://kadet.ru/index.htm, xrefs: 00407485
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\cmd.exe, xrefs: 004076F2
:%02u, xrefs: 00407682
/, xrefs: 0040781B
http://parex-bank.ru/index.htm, xrefs: 00407553
http://xware.cjb.net/index.htm, xrefs: 00407513
\command.com, xrefs: 00407737
%s\Rtdx1%i.dat, xrefs: 004077DC
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://promo.ru/index.htm, xrefs: 00407442
:, xrefs: 00407661
%s\command.pif, xrefs: 00407726
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s /C %s, xrefs: 00407768
%s/Rtdx1%i.htm, xrefs: 00407857
%s\cmd.pif, xrefs: 004076D6
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Explorer, xrefs: 004066F4
Your card number, xrefs: 00406A71
Security Measures, xrefs: 0040677A
DocObject, xrefs: 004066E5
Please fill in the correct information to verify your identity., xrefs: 004068DB
Click Once To Continue, xrefs: 00406C0C
MasterCard, xrefs: 0040692D
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
ATM PIN-Code, xrefs: 00406AE3
BUTTON, xrefs: 00406C11
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
KingKarton, xrefs: 00406746
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Visa, xrefs: 0040693F
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.php, xrefs: 00407226
http://ros-neftbank.ru/index.php, xrefs: 00407387
vvpupkin, xrefs: 00407367
http://color-bank.ru/index.php, xrefs: 00407243
http://filesearch.ru/index.php, xrefs: 004072BC
http://hackers.lv/index.php, xrefs: 0040733B
http://lovingod.host.sk/index.php, xrefs: 004072EA
crutop, xrefs: 0040736C
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382
http://fuck.ru/index.php, xrefs: 00407288
http://goldensand.ru/index.php, xrefs: 004072A5
http://crutop.ru/index.php, xrefs: 0040720F
http://trojan.ru/index.php, xrefs: 00407271
http://asechka.ru/index.php, xrefs: 0040725A
http://crutop.nu/index.php, xrefs: 004071E6
http://www.redline.ru/index.php, xrefs: 0040730D
http://cvv.ru/index.php, xrefs: 00407324
http://fethard.biz/index.php, xrefs: 00407352

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Explorer, xrefs: 00406C58
Your card number, xrefs: 00406EF5
DocObject, xrefs: 00406C49
Click Once To Continue, xrefs: 004070C3
MasterCard, xrefs: 00406DB8
Card && expiration date, xrefs: 00406EB6
Authorization Failed., xrefs: 00406CEF
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
EDIT, xrefs: 0040701A, 00407050, 0040708C
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
ATM PIN-Code, xrefs: 00406F67
BUTTON, xrefs: 004070C8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Please make corrections and try again., xrefs: 00406FDF
KingKarton, xrefs: 00406CBB
Visa, xrefs: 00406DCF

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%s<title>%s%u</title>, xrefs: 00405BDF
<script>, xrefs: 00405CAE
<html>, xrefs: 00405ABA
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
MicroSoft-Corp, xrefs: 00405BD3
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
.htm, xrefs: 00405A9A
<body>, xrefs: 00405C59
%sself.parent.location="%s";, xrefs: 00405D7B
function x(), xrefs: 00405CF7
%ssetTimeout("x()",%u);, xrefs: 00405E1B

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
\Iexplore.exe , xrefs: 00406048
Path, xrefs: 00405FED
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
yes, xrefs: 00405427
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
NtUnmapViewOfSection, xrefs: 00402ABC
RtlInitUnicodeString, xrefs: 00402AAC
NtOpenSection, xrefs: 00402AD8
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 0000000B.00000002.1529800466.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1529710961.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1529920319.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530038788.000000000042F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530147962.0000000000430000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530241556.0000000000431000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.1530383065.0000000000432000.00000080.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_Mddjfiih.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mbhkpnhb.exePID: 8048, Parent PID: 8032COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
kernel32.dll, xrefs: 00407DBE
frm2, xrefs: 00407E1F
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
KingKarton_10, xrefs: 00407968, 00407D9A
RegisterServiceProcess, xrefs: 00407DC8
%s\%s.exe, xrefs: 00407AD6
kk32.vxd, xrefs: 00407B74
3, xrefs: 00407AB6
Software\Microsoft, xrefs: 00407E24
2, xrefs: 00407ABD
surf.dat, xrefs: 00407BD4
dnkk.dll, xrefs: 00407BA7
kk32.dll, xrefs: 00407B41
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC
%s\%s.dll, xrefs: 0040433C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
Mkqoicnb, xrefs: 00404377, 0040437C
3, xrefs: 00404316
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
CLSID\%s\InProcServer32, xrefs: 004043B2

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mkqoicnb$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1073604747
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s /C %s, xrefs: 00407768
http://xware.cjb.net/index.htm, xrefs: 00407513
:, xrefs: 00407661
http://parex-bank.ru/index.htm, xrefs: 00407553
http://konfiskat.org/index.htm, xrefs: 00407539
http://promo.ru/index.htm, xrefs: 00407442
http://crutop.nu/index.htm, xrefs: 004074B9
http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://kavkaz.ru/index.htm, xrefs: 00407587
\command.com, xrefs: 00407737
http://mazafaka.ru/index.htm, xrefs: 004074F9
/, xrefs: 0040781B
:%02u, xrefs: 00407682
%s\command.pif, xrefs: 00407726
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://crutop.ru/index.htm, xrefs: 004074DF
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://fethard.biz/index.htm, xrefs: 004075C1
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 00407415
2, xrefs: 00407601
%s\Rtdx1%i.dat, xrefs: 004077DC
%s\cmd.exe, xrefs: 004076F2
http://cvv.ru/index.htm, xrefs: 0040749F
:, xrefs: 00407654
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
%s/Rtdx1%i.htm, xrefs: 00407857
wupd , xrefs: 0040778C
http://kadet.ru/index.htm, xrefs: 00407485

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Your card number, xrefs: 00406A71
Full Name, xrefs: 004069F3
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Explorer, xrefs: 004066F4
Click Once To Continue, xrefs: 00406C0C
ATM PIN-Code, xrefs: 00406AE3
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Security Measures, xrefs: 0040677A
Please fill in the correct information to verify your identity., xrefs: 004068DB
Visa, xrefs: 0040693F
MasterCard, xrefs: 0040692D
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Card && expiration date, xrefs: 00406A38
BUTTON, xrefs: 00406C11
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://hackers.lv/index.php, xrefs: 0040733B
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://filesearch.ru/index.php, xrefs: 004072BC
ofs_kk, xrefs: 00407382
http://devx.nm.ru/index.php, xrefs: 004072D3
http://crutop.nu/index.php, xrefs: 004071E6
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.ru/index.php, xrefs: 0040720F
http://asechka.ru/index.php, xrefs: 0040725A
vvpupkin, xrefs: 00407367
http://fuck.ru/index.php, xrefs: 00407288
http://goldensand.ru/index.php, xrefs: 004072A5
http://color-bank.ru/index.php, xrefs: 00407243
http://trojan.ru/index.php, xrefs: 00407271
http://lovingod.host.sk/index.php, xrefs: 004072EA
crutop, xrefs: 0040736C
http://mazafaka.ru/index.php, xrefs: 00407226
http://cvv.ru/index.php, xrefs: 00407324
http://fethard.biz/index.php, xrefs: 00407352

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

KingKarton, xrefs: 00406CBB
Please make corrections and try again., xrefs: 00406FDF
DocObject, xrefs: 00406C49
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Your card number, xrefs: 00406EF5
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Authorization Failed., xrefs: 00406CEF
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Explorer, xrefs: 00406C58
Click Once To Continue, xrefs: 004070C3
ATM PIN-Code, xrefs: 00406F67
EDIT, xrefs: 0040701A, 00407050, 0040708C
Visa, xrefs: 00406DCF
MasterCard, xrefs: 00406DB8
Card && expiration date, xrefs: 00406EB6
BUTTON, xrefs: 004070C8

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<script>, xrefs: 00405CAE
.htm, xrefs: 00405A9A
</head>, xrefs: 00405C1F
<html>, xrefs: 00405ABA
MicroSoft-Corp, xrefs: 00405BD3
<body>, xrefs: 00405C59
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<head>, xrefs: 00405B5B
%s<title>%s%u</title>, xrefs: 00405BDF
</script>, xrefs: 00405E55
</body><html>, xrefs: 00405ED6
function x(), xrefs: 00405CF7
%sself.parent.location="%s";, xrefs: 00405D7B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 004061B4
MicroSoft-Corp, xrefs: 00406128
\Iexplore.exe , xrefs: 00406048
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
Path, xrefs: 00405FED
IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
D, xrefs: 0040609F
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040566E
X-okRecv11, xrefs: 0040578F
MicroSoft-Corp, xrefs: 00405700
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
Path, xrefs: 0040557E
IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

yes, xrefs: 00405427
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
GlobalUserOffline, xrefs: 00405413
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 0000000C.00000002.1529591502.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1529489664.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529698700.000000000042B000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529793587.000000000042F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529897141.0000000000430000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1529985005.0000000000431000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000C.00000002.1530098866.0000000000432000.00000080.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_Mbhkpnhb.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mkqoicnb.exePID: 8064, Parent PID: 8048COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
kernel32.dll, xrefs: 00407DBE
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
Software\Microsoft, xrefs: 00407E24
kk32.vxd, xrefs: 00407B74
3, xrefs: 00407AB6
surf.dat, xrefs: 00407BD4
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
frm2, xrefs: 00407E1F
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
RegisterServiceProcess, xrefs: 00407DC8
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
dnkk.dll, xrefs: 00407BA7
kk32.dll, xrefs: 00407B41
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
KingKarton_10, xrefs: 00407968, 00407D9A
2, xrefs: 00407ABD
%s\%s.exe, xrefs: 00407AD6

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Mdicai32, xrefs: 00404377, 0040437C
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
Apartment, xrefs: 004043EC

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mdicai32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-450580459
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 00407415
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
:%02u, xrefs: 00407682
%s\Rtdx1%i.dat, xrefs: 004077DC
http://parex-bank.ru/index.htm, xrefs: 00407553
http://kavkaz.ru/index.htm, xrefs: 00407587
%s\cmd.pif, xrefs: 004076D6
:, xrefs: 00407654
/, xrefs: 0040781B
%s\command.pif, xrefs: 00407726
%s\cmd.exe, xrefs: 004076F2
http://promo.ru/index.htm, xrefs: 00407442
2, xrefs: 00407601
http://kadet.ru/index.htm, xrefs: 00407485
http://xware.cjb.net/index.htm, xrefs: 00407513
http://cvv.ru/index.htm, xrefs: 0040749F
\command.com, xrefs: 00407737
http://konfiskat.org/index.htm, xrefs: 00407539
http://fethard.biz/index.htm, xrefs: 004075C1
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s /C %s, xrefs: 00407768
%s/Rtdx1%i.htm, xrefs: 00407857
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
wupd , xrefs: 0040778C
http://crutop.nu/index.htm, xrefs: 004074B9
:, xrefs: 00407661
http://crutop.ru/index.htm, xrefs: 004074DF

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

MasterCard, xrefs: 0040692D
ATM PIN-Code, xrefs: 00406AE3
Card && expiration date, xrefs: 00406A38
Visa, xrefs: 0040693F
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Please fill in the correct information to verify your identity., xrefs: 004068DB
DocObject, xrefs: 004066E5
Full Name, xrefs: 004069F3
Security Measures, xrefs: 0040677A
Explorer, xrefs: 004066F4
Click Once To Continue, xrefs: 00406C0C
Your card number, xrefs: 00406A71
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
BUTTON, xrefs: 00406C11
KingKarton, xrefs: 00406746
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://color-bank.ru/index.php, xrefs: 00407243
http://asechka.ru/index.php, xrefs: 0040725A
http://crutop.ru/index.php, xrefs: 0040720F
http://filesearch.ru/index.php, xrefs: 004072BC
http://trojan.ru/index.php, xrefs: 00407271
http://hackers.lv/index.php, xrefs: 0040733B
http://devx.nm.ru/index.php, xrefs: 004072D3
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://fethard.biz/index.php, xrefs: 00407352
vvpupkin, xrefs: 00407367
ofs_kk, xrefs: 00407382
crutop, xrefs: 0040736C
http://fuck.ru/index.php, xrefs: 00407288
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://cvv.ru/index.php, xrefs: 00407324
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.nu/index.php, xrefs: 004071E6
http://mazafaka.ru/index.php, xrefs: 00407226
http://goldensand.ru/index.php, xrefs: 004072A5

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

MasterCard, xrefs: 00406DB8
ATM PIN-Code, xrefs: 00406F67
Authorization Failed., xrefs: 00406CEF
Card && expiration date, xrefs: 00406EB6
Visa, xrefs: 00406DCF
DocObject, xrefs: 00406C49
Explorer, xrefs: 00406C58
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Click Once To Continue, xrefs: 004070C3
Your card number, xrefs: 00406EF5
EDIT, xrefs: 0040701A, 00407050, 0040708C
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
BUTTON, xrefs: 004070C8
KingKarton, xrefs: 00406CBB
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Please make corrections and try again., xrefs: 00406FDF

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
<head>, xrefs: 00405B5B
</body><html>, xrefs: 00405ED6
function x(), xrefs: 00405CF7
%sself.parent.location="%s";, xrefs: 00405D7B
<script>, xrefs: 00405CAE
</head>, xrefs: 00405C1F
</script>, xrefs: 00405E55
<html>, xrefs: 00405ABA
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<body>, xrefs: 00405C59
%s<title>%s%u</title>, xrefs: 00405BDF
MicroSoft-Corp, xrefs: 00405BD3

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 0040612D
Path, xrefs: 00405FED
D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
\Iexplore.exe , xrefs: 00406048
MicroSoft-Corp, xrefs: 00406128
IEFrame, xrefs: 0040615D
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

%s%u - Microsoft Internet Explorer, xrefs: 00405705
D, xrefs: 0040566E
Path, xrefs: 0040557E
X-okRecv11, xrefs: 0040578F
\Iexplore.exe , xrefs: 0040561A
MicroSoft-Corp, xrefs: 00405700
IEFrame, xrefs: 0040572F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
yes, xrefs: 00405427
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 0000000D.00000002.1529387746.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1529303566.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529483835.000000000042B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529611599.000000000042F000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529719456.0000000000430000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529797139.0000000000431000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000D.00000002.1529914709.0000000000432000.00000080.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_Mkqoicnb.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mdicai32.exePID: 8080, Parent PID: 8064COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

surf.dat, xrefs: 00407BD4
kk32.dll, xrefs: 00407B41
KingKarton_10, xrefs: 00407968, 00407D9A
RegisterServiceProcess, xrefs: 00407DC8
frm2, xrefs: 00407E1F
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kernel32.dll, xrefs: 00407DBE
Software\Microsoft, xrefs: 00407E24
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
%s\%s.exe, xrefs: 00407AD6
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
3, xrefs: 00407AB6
2, xrefs: 00407ABD
dnkk.dll, xrefs: 00407BA7
kk32.vxd, xrefs: 00407B74
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
Web Event Logger, xrefs: 00404408
CLSID\%s\InProcServer32, xrefs: 004043B2
Apartment, xrefs: 004043EC
ThreadingModel, xrefs: 004043F1
Mfhplllf, xrefs: 00404377, 0040437C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Mfhplllf$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-4087606308
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 004075A7
http://ldark.nm.ru/index.htm, xrefs: 00407415
http://xware.cjb.net/index.htm, xrefs: 00407513
http://promo.ru/index.htm, xrefs: 00407442
http://kavkaz.ru/index.htm, xrefs: 00407587
/, xrefs: 0040781B
wupd , xrefs: 0040778C
http://mazafaka.ru/index.htm, xrefs: 004074F9
:, xrefs: 00407654
http://kidos-bank.ru/index.htm, xrefs: 0040756D
%s\Rtdx1%i.dat, xrefs: 004077DC
http://konfiskat.org/index.htm, xrefs: 00407539
:, xrefs: 00407661
%s /C %s, xrefs: 00407768
http://crutop.ru/index.htm, xrefs: 004074DF
%s\command.pif, xrefs: 00407726
2, xrefs: 00407601
:%02u, xrefs: 00407682
http://crutop.nu/index.htm, xrefs: 004074B9
http://kadet.ru/index.htm, xrefs: 00407485
http://cvv.ru/index.htm, xrefs: 0040749F
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
%s\cmd.exe, xrefs: 004076F2
\command.com, xrefs: 00407737
%s/Rtdx1%i.htm, xrefs: 00407857
%s\cmd.pif, xrefs: 004076D6
http://fethard.biz/index.htm, xrefs: 004075C1
http://parex-bank.ru/index.htm, xrefs: 00407553

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Your card number, xrefs: 00406A71
Please fill in the correct information to verify your identity., xrefs: 004068DB
Click Once To Continue, xrefs: 00406C0C
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
MasterCard, xrefs: 0040692D
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
ATM PIN-Code, xrefs: 00406AE3
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Explorer, xrefs: 004066F4
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Visa, xrefs: 0040693F
Security Measures, xrefs: 0040677A
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
KingKarton, xrefs: 00406746
DocObject, xrefs: 004066E5
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
BUTTON, xrefs: 00406C11

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fuck.ru/index.php, xrefs: 00407288
http://asechka.ru/index.php, xrefs: 0040725A
vvpupkin, xrefs: 00407367
http://crutop.nu/index.php, xrefs: 004071E6
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://trojan.ru/index.php, xrefs: 00407271
http://mazafaka.ru/index.php, xrefs: 00407226
http://fethard.biz/index.php, xrefs: 00407352
http://crutop.ru/index.php, xrefs: 0040720F
http://filesearch.ru/index.php, xrefs: 004072BC
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://hackers.lv/index.php, xrefs: 0040733B
http://color-bank.ru/index.php, xrefs: 00407243
crutop, xrefs: 0040736C
http://goldensand.ru/index.php, xrefs: 004072A5
http://cvv.ru/index.php, xrefs: 00407324
http://www.redline.ru/index.php, xrefs: 0040730D
http://devx.nm.ru/index.php, xrefs: 004072D3
ofs_kk, xrefs: 00407382

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Your card number, xrefs: 00406EF5
Click Once To Continue, xrefs: 004070C3
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Card && expiration date, xrefs: 00406EB6
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
MasterCard, xrefs: 00406DB8
EDIT, xrefs: 0040701A, 00407050, 0040708C
ATM PIN-Code, xrefs: 00406F67
Explorer, xrefs: 00406C58
Visa, xrefs: 00406DCF
Authorization Failed., xrefs: 00406CEF
Please make corrections and try again., xrefs: 00406FDF
KingKarton, xrefs: 00406CBB
DocObject, xrefs: 00406C49
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
BUTTON, xrefs: 004070C8

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

%s<title>%s%u</title>, xrefs: 00405BDF
function x(), xrefs: 00405CF7
%sself.parent.location="%s";, xrefs: 00405D7B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<html>, xrefs: 00405ABA
</body><html>, xrefs: 00405ED6
MicroSoft-Corp, xrefs: 00405BD3
</script>, xrefs: 00405E55
.htm, xrefs: 00405A9A
<body>, xrefs: 00405C59
%ssetTimeout("x()",%u);, xrefs: 00405E1B
</head>, xrefs: 00405C1F
<script>, xrefs: 00405CAE
<head>, xrefs: 00405B5B

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 00405FED
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
\Iexplore.exe , xrefs: 00406048
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
D, xrefs: 0040609F

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

Path, xrefs: 0040557E
%s%u - Microsoft Internet Explorer, xrefs: 00405705
IEFrame, xrefs: 0040572F
D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

1601, xrefs: 004053ED
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8
RtlNtStatusToDosError, xrefs: 00402AF8
NtUnmapViewOfSection, xrefs: 00402ABC
ntdll.dll, xrefs: 00402AA0
RtlInitUnicodeString, xrefs: 00402AAC

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 0000000E.00000002.1529207688.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1529125315.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529310966.000000000042B000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529423423.000000000042F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529502181.0000000000430000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529600572.0000000000431000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000E.00000002.1529713367.0000000000432000.00000080.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_Mdicai32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Mfhplllf.exePID: 8100, Parent PID: 8080COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

kk32.vxd, xrefs: 00407B74
surf.dat, xrefs: 00407BD4
frm2, xrefs: 00407E1F
kk32.dll, xrefs: 00407B41
%s\%s.exe, xrefs: 00407AD6
dnkk.dll, xrefs: 00407BA7
2, xrefs: 00407ABD
3, xrefs: 00407AB6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton_10, xrefs: 00407968, 00407D9A
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
RegisterServiceProcess, xrefs: 00407DC8
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
Software\Microsoft, xrefs: 00407E24
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kernel32.dll, xrefs: 00407DBE

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 6ee59e3a8573d521def3767ca274d7f3827ba75d4eb2bb238cc0f586924e4543
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
2, xrefs: 0040431D
Apartment, xrefs: 004043EC
3, xrefs: 00404316
Nncepn32, xrefs: 00404377, 0040437C
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Nncepn32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-1013659971
Opcode ID: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: f658e9bbea74cdda21d52ba0dda45127d6eaf8fbfc7815ecca670b5fc2b0fdb5
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: 9534f3964395e2b89bb4d251f3090fa7dea983b28f6d01e0c930ce9dd69a4561
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 520ef99321a950b8bf7a3d53063526bfc001c2e80f8cbbf8410ad5a5ac179331
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

%s/Rtdx1%i.htm, xrefs: 00407857
http://konfiskat.org/index.htm, xrefs: 00407539
http://crutop.nu/index.htm, xrefs: 004074B9
wupd , xrefs: 0040778C
http://xware.cjb.net/index.htm, xrefs: 00407513
%s\Rtdx1%i.dat, xrefs: 004077DC
:%02u, xrefs: 00407682
/, xrefs: 0040781B
http://cvv.ru/index.htm, xrefs: 0040749F
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://ldark.nm.ru/index.htm, xrefs: 00407415
%s /C %s, xrefs: 00407768
http://fethard.biz/index.htm, xrefs: 004075C1
%s\cmd.pif, xrefs: 004076D6
http://kavkaz.ru/index.htm, xrefs: 00407587
:, xrefs: 00407661
http://ldark.nm.ru/index.htm, xrefs: 004075A7
2, xrefs: 00407601
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://mazafaka.ru/index.htm, xrefs: 004074F9
\command.com, xrefs: 00407737
%s\cmd.exe, xrefs: 004076F2
:, xrefs: 00407654
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
%s\command.pif, xrefs: 00407726
http://crutop.ru/index.htm, xrefs: 004074DF
http://parex-bank.ru/index.htm, xrefs: 00407553
http://promo.ru/index.htm, xrefs: 00407442
http://kadet.ru/index.htm, xrefs: 00407485

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: f0770b69ea9e50543ab9fce97bdc0d4f2e15dcd1871b33edef6aa8c3100d143f
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Visa, xrefs: 0040693F
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Click Once To Continue, xrefs: 00406C0C
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Security Measures, xrefs: 0040677A
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
DocObject, xrefs: 004066E5
Full Name, xrefs: 004069F3
Please fill in the correct information to verify your identity., xrefs: 004068DB
ATM PIN-Code, xrefs: 00406AE3
Your card number, xrefs: 00406A71
Card && expiration date, xrefs: 00406A38
Explorer, xrefs: 004066F4
KingKarton, xrefs: 00406746
BUTTON, xrefs: 00406C11
MasterCard, xrefs: 0040692D
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
3-digit validation code on back of card (cvv2), xrefs: 00406AAA

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://ros-neftbank.ru/index.php, xrefs: 00407387
http://www.redline.ru/index.php, xrefs: 0040730D
http://crutop.nu/index.php, xrefs: 004071E6
http://trojan.ru/index.php, xrefs: 00407271
http://fuck.ru/index.php, xrefs: 00407288
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://color-bank.ru/index.php, xrefs: 00407243
http://devx.nm.ru/index.php, xrefs: 004072D3
http://mazafaka.ru/index.php, xrefs: 00407226
vvpupkin, xrefs: 00407367
ofs_kk, xrefs: 00407382
crutop, xrefs: 0040736C
http://goldensand.ru/index.php, xrefs: 004072A5
http://hackers.lv/index.php, xrefs: 0040733B
http://crutop.ru/index.php, xrefs: 0040720F
http://fethard.biz/index.php, xrefs: 00407352
http://cvv.ru/index.php, xrefs: 00407324
http://asechka.ru/index.php, xrefs: 0040725A
http://filesearch.ru/index.php, xrefs: 004072BC

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Visa, xrefs: 00406DCF
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Authorization Failed., xrefs: 00406CEF
Click Once To Continue, xrefs: 004070C3
Please make corrections and try again., xrefs: 00406FDF
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
EDIT, xrefs: 0040701A, 00407050, 0040708C
DocObject, xrefs: 00406C49
ATM PIN-Code, xrefs: 00406F67
Your card number, xrefs: 00406EF5
Card && expiration date, xrefs: 00406EB6
Explorer, xrefs: 00406C58
KingKarton, xrefs: 00406CBB
BUTTON, xrefs: 004070C8
MasterCard, xrefs: 00406DB8
3-digit validation code on back of card (cvv2), xrefs: 00406F2E

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

</body><html>, xrefs: 00405ED6
</script>, xrefs: 00405E55
<head>, xrefs: 00405B5B
function x(), xrefs: 00405CF7
<body>, xrefs: 00405C59
<html>, xrefs: 00405ABA
.htm, xrefs: 00405A9A
%s<title>%s%u</title>, xrefs: 00405BDF
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
%sself.parent.location="%s";, xrefs: 00405D7B
MicroSoft-Corp, xrefs: 00405BD3
<script>, xrefs: 00405CAE
</head>, xrefs: 00405C1F

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 070f966c00dcc4fc5ed0225c697b8d5c881d6209a05a7d24656f81194796effb
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
D, xrefs: 0040609F
MicroSoft-Corp, xrefs: 00406128
\Iexplore.exe , xrefs: 00406048
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
Path, xrefs: 00405FED
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
X-okRecv11, xrefs: 004061B4

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: ac5123de34ba10924cd8499ab49d69040bcdc007685641d75e3294f982633009
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
\Iexplore.exe , xrefs: 0040561A
Path, xrefs: 0040557E
D, xrefs: 0040566E
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
%s%u - Microsoft Internet Explorer, xrefs: 00405705
X-okRecv11, xrefs: 0040578F

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: d894210ce14b94a30ad01c0f117972d478c66e05272d17cf7789e03e5b20e951
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
GlobalUserOffline, xrefs: 00405413

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
ntdll.dll, xrefs: 00402AA0
RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
HEX: , xrefs: 00403AAC
TXT: '%s', xrefs: 00403AEA

Memory Dump Source

Source File: 0000000F.00000002.1528368332.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1528267656.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528520201.000000000042B000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528612267.000000000042F000.00000008.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528704727.0000000000430000.00000020.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528795913.0000000000431000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000F.00000002.1528842421.0000000000432000.00000080.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Mfhplllf.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Nncepn32.exePID: 8116, Parent PID: 8100COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

RegisterServiceProcess, xrefs: 00407DC8
2, xrefs: 00407ABD
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.dll, xrefs: 00407B41
3, xrefs: 00407AB6
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
%s\%s.exe, xrefs: 00407AD6
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
surf.dat, xrefs: 00407BD4
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
kernel32.dll, xrefs: 00407DBE
dnkk.dll, xrefs: 00407BA7
Software\Microsoft, xrefs: 00407E24
kk32.vxd, xrefs: 00407B74
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Nmdeneap, xrefs: 00404377, 0040437C
2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
ThreadingModel, xrefs: 004043F1
Apartment, xrefs: 004043EC
Web Event Logger, xrefs: 00404408
CLSID\%s\InProcServer32, xrefs: 004043B2
%s\%s.dll, xrefs: 0040433C
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
3, xrefs: 00404316

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Nmdeneap$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-3731866722
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

:, xrefs: 00407661
%s /C %s, xrefs: 00407768
http://kadet.ru/index.htm, xrefs: 00407485
/, xrefs: 0040781B
http://crutop.nu/index.htm, xrefs: 004074B9
http://kavkaz.ru/index.htm, xrefs: 00407587
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://mazafaka.ru/index.htm, xrefs: 004074F9
http://crutop.ru/index.htm, xrefs: 004074DF
2, xrefs: 00407601
http://fethard.biz/index.htm, xrefs: 004075C1
%s\cmd.pif, xrefs: 004076D6
%s\command.pif, xrefs: 00407726
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://parex-bank.ru/index.htm, xrefs: 00407553
:, xrefs: 00407654
http://promo.ru/index.htm, xrefs: 00407442
http://kidos-bank.ru/index.htm, xrefs: 0040756D
:%02u, xrefs: 00407682
http://ldark.nm.ru/index.htm, xrefs: 004075A7
%s/Rtdx1%i.htm, xrefs: 00407857
http://ldark.nm.ru/index.htm, xrefs: 00407415
wupd , xrefs: 0040778C
http://xware.cjb.net/index.htm, xrefs: 00407513
http://konfiskat.org/index.htm, xrefs: 00407539
%s\Rtdx1%i.dat, xrefs: 004077DC
%s\cmd.exe, xrefs: 004076F2
\command.com, xrefs: 00407737
http://cvv.ru/index.htm, xrefs: 0040749F

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Please fill in the correct information to verify your identity., xrefs: 004068DB
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Card && expiration date, xrefs: 00406A38
Full Name, xrefs: 004069F3
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
MasterCard, xrefs: 0040692D
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Visa, xrefs: 0040693F
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
BUTTON, xrefs: 00406C11
Explorer, xrefs: 004066F4
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Click Once To Continue, xrefs: 00406C0C
Security Measures, xrefs: 0040677A
DocObject, xrefs: 004066E5
ATM PIN-Code, xrefs: 00406AE3
KingKarton, xrefs: 00406746
Your card number, xrefs: 00406A71
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://crutop.ru/index.php, xrefs: 0040720F
ofs_kk, xrefs: 00407382
vvpupkin, xrefs: 00407367
http://trojan.ru/index.php, xrefs: 00407271
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://www.redline.ru/index.php, xrefs: 0040730D
http://goldensand.ru/index.php, xrefs: 004072A5
http://fethard.biz/index.php, xrefs: 00407352
crutop, xrefs: 0040736C
http://color-bank.ru/index.php, xrefs: 00407243
http://fuck.ru/index.php, xrefs: 00407288
http://hackers.lv/index.php, xrefs: 0040733B
http://cvv.ru/index.php, xrefs: 00407324
http://crutop.nu/index.php, xrefs: 004071E6
http://filesearch.ru/index.php, xrefs: 004072BC
http://devx.nm.ru/index.php, xrefs: 004072D3
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://mazafaka.ru/index.php, xrefs: 00407226
http://asechka.ru/index.php, xrefs: 0040725A

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406EB6
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
MasterCard, xrefs: 00406DB8
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Visa, xrefs: 00406DCF
BUTTON, xrefs: 004070C8
Explorer, xrefs: 00406C58
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
Click Once To Continue, xrefs: 004070C3
DocObject, xrefs: 00406C49
ATM PIN-Code, xrefs: 00406F67
KingKarton, xrefs: 00406CBB
Your card number, xrefs: 00406EF5
EDIT, xrefs: 0040701A, 00407050, 0040708C
Please make corrections and try again., xrefs: 00406FDF
Authorization Failed., xrefs: 00406CEF

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

.htm, xrefs: 00405A9A
</body><html>, xrefs: 00405ED6
%ssetTimeout("x()",%u);, xrefs: 00405E1B
<html>, xrefs: 00405ABA
</script>, xrefs: 00405E55
%s<title>%s%u</title>, xrefs: 00405BDF
MicroSoft-Corp, xrefs: 00405BD3
function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
<script>, xrefs: 00405CAE
%sself.parent.location="%s";, xrefs: 00405D7B
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
<body>, xrefs: 00405C59
</head>, xrefs: 00405C1F

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040609F
X-okRecv11, xrefs: 004061B4
Path, xrefs: 00405FED
\Iexplore.exe , xrefs: 00406048
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
IEFrame, xrefs: 0040615D
MicroSoft-Corp, xrefs: 00406128
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
%s%u - Microsoft Internet Explorer, xrefs: 0040612D

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

X-okRecv11, xrefs: 0040578F
Path, xrefs: 0040557E
\Iexplore.exe , xrefs: 0040561A
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
D, xrefs: 0040566E
IEFrame, xrefs: 0040572F
MicroSoft-Corp, xrefs: 00405700
%s%u - Microsoft Internet Explorer, xrefs: 00405705

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

1601, xrefs: 004053ED
yes, xrefs: 00405427
BrowseNewProcess, xrefs: 0040542C
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

NtOpenSection, xrefs: 00402AD8
NtMapViewOfSection, xrefs: 00402AE8
ntdll.dll, xrefs: 00402AA0
NtUnmapViewOfSection, xrefs: 00402ABC
RtlInitUnicodeString, xrefs: 00402AAC
RtlNtStatusToDosError, xrefs: 00402AF8

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC
[length=%i] [summ=%i], xrefs: 00403A98

Memory Dump Source

Source File: 00000010.00000002.1528203912.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1528009838.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528306477.000000000042B000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528405779.000000000042F000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528550172.0000000000430000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528646058.0000000000431000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 00000010.00000002.1528736243.0000000000432000.00000080.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_Nncepn32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Nmdeneap.exePID: 8132, Parent PID: 8116COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
kk32.dll, xrefs: 00407B41
3, xrefs: 00407AB6
Software\Microsoft, xrefs: 00407E24
%s\%s.exe, xrefs: 00407AD6
dnkk.dll, xrefs: 00407BA7
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
surf.dat, xrefs: 00407BD4
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
KingKarton_10, xrefs: 00407968, 00407D9A
RegisterServiceProcess, xrefs: 00407DC8
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
kk32.vxd, xrefs: 00407B74
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
frm2, xrefs: 00407E1F
kernel32.dll, xrefs: 00407DBE
2, xrefs: 00407ABD

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

2, xrefs: 0040431D
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
ThreadingModel, xrefs: 004043F1
CLSID\%s\InProcServer32, xrefs: 004043B2
Nfmigk32, xrefs: 00404377, 0040437C
Web Event Logger, xrefs: 00404408
Apartment, xrefs: 004043EC
%s\%s.dll, xrefs: 0040433C

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Nfmigk32$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-25055396
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00401219 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

!\, xrefs: 00401253

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: !\
API String ID: 0-693016526
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

!\, xrefs: 00401253

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: !\
API String ID: 0-693016526
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://ldark.nm.ru/index.htm, xrefs: 004075A7
/, xrefs: 0040781B
http://cvv.ru/index.htm, xrefs: 0040749F
http://crutop.nu/index.htm, xrefs: 004074B9
%s\cmd.exe, xrefs: 004076F2
%s\Rtdx1%i.dat, xrefs: 004077DC
http://parex-bank.ru/index.htm, xrefs: 00407553
:, xrefs: 00407661
http://kavkaz.ru/index.htm, xrefs: 00407587
%s /C %s, xrefs: 00407768
\command.com, xrefs: 00407737
%s/Rtdx1%i.htm, xrefs: 00407857
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://fethard.biz/index.htm, xrefs: 004075C1
:%02u, xrefs: 00407682
:, xrefs: 00407654
http://mazafaka.ru/index.htm, xrefs: 004074F9
%s\command.pif, xrefs: 00407726
%s\cmd.pif, xrefs: 004076D6
http://ldark.nm.ru/index.htm, xrefs: 00407415
wupd , xrefs: 0040778C
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://xware.cjb.net/index.htm, xrefs: 00407513
http://konfiskat.org/index.htm, xrefs: 00407539
http://kadet.ru/index.htm, xrefs: 00407485
http://promo.ru/index.htm, xrefs: 00407442
2, xrefs: 00407601
http://crutop.ru/index.htm, xrefs: 004074DF

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
Your card number, xrefs: 00406A71
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
ATM PIN-Code, xrefs: 00406AE3
Full Name, xrefs: 004069F3
KingKarton, xrefs: 00406746
BUTTON, xrefs: 00406C11
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Visa, xrefs: 0040693F
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
MasterCard, xrefs: 0040692D
Please fill in the correct information to verify your identity., xrefs: 004068DB
Security Measures, xrefs: 0040677A
Click Once To Continue, xrefs: 00406C0C
DocObject, xrefs: 004066E5
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
Card && expiration date, xrefs: 00406A38
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
Explorer, xrefs: 004066F4

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://crutop.nu/index.php, xrefs: 004071E6
http://lovingod.host.sk/index.php, xrefs: 004072EA
ofs_kk, xrefs: 00407382
http://filesearch.ru/index.php, xrefs: 004072BC
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://www.redline.ru/index.php, xrefs: 0040730D
http://color-bank.ru/index.php, xrefs: 00407243
http://fuck.ru/index.php, xrefs: 00407288
http://hackers.lv/index.php, xrefs: 0040733B
http://cvv.ru/index.php, xrefs: 00407324
http://crutop.ru/index.php, xrefs: 0040720F
http://devx.nm.ru/index.php, xrefs: 004072D3
vvpupkin, xrefs: 00407367
http://mazafaka.ru/index.php, xrefs: 00407226
http://goldensand.ru/index.php, xrefs: 004072A5
crutop, xrefs: 0040736C
http://trojan.ru/index.php, xrefs: 00407271
http://fethard.biz/index.php, xrefs: 00407352
http://asechka.ru/index.php, xrefs: 0040725A

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

EDIT, xrefs: 0040701A, 00407050, 0040708C
Authorization Failed., xrefs: 00406CEF
Your card number, xrefs: 00406EF5
ATM PIN-Code, xrefs: 00406F67
KingKarton, xrefs: 00406CBB
BUTTON, xrefs: 004070C8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Visa, xrefs: 00406DCF
MasterCard, xrefs: 00406DB8
Click Once To Continue, xrefs: 004070C3
DocObject, xrefs: 00406C49
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
Card && expiration date, xrefs: 00406EB6
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Please make corrections and try again., xrefs: 00406FDF
Explorer, xrefs: 00406C58
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

<head>, xrefs: 00405B5B
<script>, xrefs: 00405CAE
</body><html>, xrefs: 00405ED6
</head>, xrefs: 00405C1F
function x(), xrefs: 00405CF7
<html>, xrefs: 00405ABA
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
.htm, xrefs: 00405A9A
%sself.parent.location="%s";, xrefs: 00405D7B
</script>, xrefs: 00405E55
MicroSoft-Corp, xrefs: 00405BD3
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
<body>, xrefs: 00405C59

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040615D
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
\Iexplore.exe , xrefs: 00406048
MicroSoft-Corp, xrefs: 00406128
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
X-okRecv11, xrefs: 004061B4
D, xrefs: 0040609F
Path, xrefs: 00405FED

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

IEFrame, xrefs: 0040572F
%s%u - Microsoft Internet Explorer, xrefs: 00405705
D, xrefs: 0040566E
\Iexplore.exe , xrefs: 0040561A
MicroSoft-Corp, xrefs: 00405700
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
X-okRecv11, xrefs: 0040578F
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
1601, xrefs: 004053ED
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlNtStatusToDosError, xrefs: 00402AF8
RtlInitUnicodeString, xrefs: 00402AAC
ntdll.dll, xrefs: 00402AA0
NtOpenSection, xrefs: 00402AD8
NtUnmapViewOfSection, xrefs: 00402ABC
NtMapViewOfSection, xrefs: 00402AE8

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

%02X , xrefs: 00403AC2
[length=%i] [summ=%i], xrefs: 00403A98
TXT: '%s', xrefs: 00403AEA
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000011.00000002.1527821025.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1527663508.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1527938847.000000000042B000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528064338.000000000042F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528242335.0000000000430000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528349680.0000000000431000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000011.00000002.1528446565.0000000000432000.00000080.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Nmdeneap.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Nfmigk32.exePID: 8148, Parent PID: 8132COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

%s\%s.exe, xrefs: 00407AD6
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
surf.dat, xrefs: 00407BD4
kernel32.dll, xrefs: 00407DBE
dnkk.dll, xrefs: 00407BA7
frm2, xrefs: 00407E1F
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
kk32.vxd, xrefs: 00407B74
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
2, xrefs: 00407ABD
RegisterServiceProcess, xrefs: 00407DC8
kk32.dll, xrefs: 00407B41
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
Software\Microsoft, xrefs: 00407E24
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
3, xrefs: 00407AB6

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

Web Event Logger, xrefs: 00404408
%s\%s.dll, xrefs: 0040433C
2, xrefs: 0040431D
ThreadingModel, xrefs: 004043F1
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
CLSID\%s\InProcServer32, xrefs: 004043B2
Apartment, xrefs: 004043EC
Nnhnkmek, xrefs: 00404377, 0040437C
3, xrefs: 00404316
{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Nnhnkmek$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2203717794
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Non-executed Functions

Function 004073F8 Relevance: 36.6, Strings: 29, Instructions: 333COMMON

Download Yara Rule

Strings

http://mazafaka.ru/index.htm, xrefs: 004074F9
http://kavkaz.ru/index.htm, xrefs: 00407587
http://gaz-prom.ru/index.htm, xrefs: 004075EE, 004077F0
http://crutop.ru/index.htm, xrefs: 004074DF
:%02u, xrefs: 00407682
http://kidos-bank.ru/index.htm, xrefs: 0040756D
http://promo.ru/index.htm, xrefs: 00407442
http://potleaf.chat.ru/index.htm, xrefs: 0040746B
http://crutop.nu/index.htm, xrefs: 004074B9
:, xrefs: 00407654
%s\cmd.exe, xrefs: 004076F2
wupd , xrefs: 0040778C
http://cvv.ru/index.htm, xrefs: 0040749F
http://parex-bank.ru/index.htm, xrefs: 00407553
2, xrefs: 00407601
%s\cmd.pif, xrefs: 004076D6
:, xrefs: 00407661
%s /C %s, xrefs: 00407768
http://xware.cjb.net/index.htm, xrefs: 00407513
http://fethard.biz/index.htm, xrefs: 004075C1
%s\Rtdx1%i.dat, xrefs: 004077DC
/, xrefs: 0040781B
http://ldark.nm.ru/index.htm, xrefs: 004075A7
\command.com, xrefs: 00407737
%s\command.pif, xrefs: 00407726
http://kadet.ru/index.htm, xrefs: 00407485
%s/Rtdx1%i.htm, xrefs: 00407857
http://konfiskat.org/index.htm, xrefs: 00407539
http://ldark.nm.ru/index.htm, xrefs: 00407415

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s /C %s$%s/Rtdx1%i.htm$%s\Rtdx1%i.dat$%s\cmd.exe$%s\cmd.pif$%s\command.pif$/$2$:$:$:%02u$\command.com$http://crutop.nu/index.htm$http://crutop.ru/index.htm$http://cvv.ru/index.htm$http://fethard.biz/index.htm$http://gaz-prom.ru/index.htm$http://kadet.ru/index.htm$http://kavkaz.ru/index.htm$http://kidos-bank.ru/index.htm$http://konfiskat.org/index.htm$http://ldark.nm.ru/index.htm$http://ldark.nm.ru/index.htm$http://mazafaka.ru/index.htm$http://parex-bank.ru/index.htm$http://potleaf.chat.ru/index.htm$http://promo.ru/index.htm$http://xware.cjb.net/index.htm$wupd
API String ID: 0-3277140060
Opcode ID: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction ID: ca2210810dbac752bcaa7aadc5265d63de30940a24e9d8a933d10326839a4fbc
Opcode Fuzzy Hash: 91ecc280aa46a8be91f03cd94285bdcf4140594b59ad1e961f3a161808934dd8
Instruction Fuzzy Hash: 93C15871E0822C9ADF31D6B48D45BD976BC9B04704F4485FBE648B21C1DA7C6F848F99

Function 004066D2 Relevance: 25.4, Strings: 20, Instructions: 368COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406A38
Click Once To Continue, xrefs: 00406C0C
Full Name, xrefs: 004069F3
Please fill in the correct information to verify your identity., xrefs: 004068DB
of fraud on our website, we are undertaking a period review of our member accounts., xrefs: 00406860
Before signing in, please confirm that you are the owner of this account., xrefs: 004068A2
Explorer, xrefs: 004066F4
DocObject, xrefs: 004066E5
Your card number, xrefs: 00406A71
ATM PIN-Code, xrefs: 00406AE3
3-digit validation code on back of card (cvv2), xrefs: 00406AAA
As part of our continuing commitment to protect your account and to reduce the instance, xrefs: 0040682A
Security Measures, xrefs: 0040677A
MasterCard, xrefs: 0040692D
COMBOBOX, xrefs: 00406916, 0040697E, 004069BA
Visa, xrefs: 0040693F
STATIC, xrefs: 0040677F, 004067C3, 0040682F, 00406865, 004068A7, 004068E0, 004069F8, 00406A3D, 00406A76, 00406AAF, 00406AE8
KingKarton, xrefs: 00406746
EDIT, xrefs: 00406B21, 00406B5D, 00406B9C, 00406BD5
BUTTON, xrefs: 00406C11

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: Security Measures$3-digit validation code on back of card (cvv2)$ATM PIN-Code$As part of our continuing commitment to protect your account and to reduce the instance$BUTTON$Before signing in, please confirm that you are the owner of this account.$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$Full Name$KingKarton$MasterCard$Please fill in the correct information to verify your identity.$STATIC$Visa$Your card number$of fraud on our website, we are undertaking a period review of our member accounts.
API String ID: 0-2414860925
Opcode ID: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction ID: 525493423092be5a9276bf80dfded8ce409bde7a538f3ca8dcbac0c4679fd1cc
Opcode Fuzzy Hash: 0167c73caf962197ec3547814926cae7c5f922c6318a1430baac6ded23f3c64d
Instruction Fuzzy Hash: BFC171317C0714BAFB316F61AE13F963A11AB18F05F608136B700BD1E2DAF92921975D

Function 004071CA Relevance: 23.9, Strings: 19, Instructions: 129COMMON

Download Yara Rule

Strings

http://fuck.ru/index.php, xrefs: 00407288
http://devx.nm.ru/index.php, xrefs: 004072D3
http://lovingod.host.sk/index.php, xrefs: 004072EA
http://crutop.ru/index.php, xrefs: 0040720F
http://ros-neftbank.ru/index.php, xrefs: 00407387
http://hackers.lv/index.php, xrefs: 0040733B
http://goldensand.ru/index.php, xrefs: 004072A5
http://asechka.ru/index.php, xrefs: 0040725A
http://filesearch.ru/index.php, xrefs: 004072BC
ofs_kk, xrefs: 00407382
vvpupkin, xrefs: 00407367
http://trojan.ru/index.php, xrefs: 00407271
http://cvv.ru/index.php, xrefs: 00407324
http://www.redline.ru/index.php, xrefs: 0040730D
crutop, xrefs: 0040736C
http://fethard.biz/index.php, xrefs: 00407352
http://color-bank.ru/index.php, xrefs: 00407243
http://mazafaka.ru/index.php, xrefs: 00407226
http://crutop.nu/index.php, xrefs: 004071E6

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: crutop$http://asechka.ru/index.php$http://color-bank.ru/index.php$http://crutop.nu/index.php$http://crutop.ru/index.php$http://cvv.ru/index.php$http://devx.nm.ru/index.php$http://fethard.biz/index.php$http://filesearch.ru/index.php$http://fuck.ru/index.php$http://goldensand.ru/index.php$http://hackers.lv/index.php$http://lovingod.host.sk/index.php$http://mazafaka.ru/index.php$http://ros-neftbank.ru/index.php$http://trojan.ru/index.php$http://www.redline.ru/index.php$ofs_kk$vvpupkin
API String ID: 0-702909438
Opcode ID: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction ID: 118270107a0e3fcb1342e66a8a865fec4cc7206aa67ae938e3360cedbf7daf89
Opcode Fuzzy Hash: baaa54fe2fd0fd255d344bf161caa3d52bcbcb9711479dacd23a5b10f84c8f34
Instruction Fuzzy Hash: B6418461F4836C39DF21E2B18C06BEE67685B18704F5844EFF584B21C1D6BC5BD84B59

Function 00406C36 Relevance: 21.6, Strings: 17, Instructions: 326COMMON

Download Yara Rule

Strings

Card && expiration date, xrefs: 00406EB6
Click Once To Continue, xrefs: 004070C3
Explorer, xrefs: 00406C58
DocObject, xrefs: 00406C49
Please make corrections and try again., xrefs: 00406FDF
Your card number, xrefs: 00406EF5
ATM PIN-Code, xrefs: 00406F67
Authorization Failed., xrefs: 00406CEF
3-digit validation code on back of card (cvv2), xrefs: 00406F2E
Unable to authorize. ATM PIN-Code is required to complete the transaction., xrefs: 00406FA0
MasterCard, xrefs: 00406DB8
COMBOBOX, xrefs: 00406DA1, 00406E3E, 00406E7D
Visa, xrefs: 00406DCF
STATIC, xrefs: 00406CF4, 00406D32, 00406EBB, 00406EFA, 00406F33, 00406F6C, 00406FA5, 00406FE4
KingKarton, xrefs: 00406CBB
EDIT, xrefs: 0040701A, 00407050, 0040708C
BUTTON, xrefs: 004070C8

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: Authorization Failed.$3-digit validation code on back of card (cvv2)$ATM PIN-Code$BUTTON$COMBOBOX$Card && expiration date$Click Once To Continue$DocObject$EDIT$Explorer$KingKarton$MasterCard$Please make corrections and try again.$STATIC$Unable to authorize. ATM PIN-Code is required to complete the transaction.$Visa$Your card number
API String ID: 0-2189326427
Opcode ID: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction ID: df0912dc553a32f5a8e9dc75fb07004797d75b1aaeecc66523bd96b69c52d49a
Opcode Fuzzy Hash: 22bece452120fd119ed5d4e5945bef80b0251db0f9d1524a0100987c39ecf884
Instruction Fuzzy Hash: DEB14E317C0714BAFB316F51AE13F963A52AB58F04F60413AB700BD1E2DAF929219A5D

Function 00405A48 Relevance: 17.9, Strings: 14, Instructions: 376COMMON

Download Yara Rule

Strings

function x(), xrefs: 00405CF7
<head>, xrefs: 00405B5B
<html>, xrefs: 00405ABA
.htm, xrefs: 00405A9A
%ssetTimeout("x()",%u);, xrefs: 00405E1B
%s<title>%s%u</title>, xrefs: 00405BDF
MicroSoft-Corp, xrefs: 00405BD3
</head>, xrefs: 00405C1F
<body>, xrefs: 00405C59
</body><html>, xrefs: 00405ED6
<script>, xrefs: 00405CAE
%s, xrefs: 00405B1B, 00405BBC, 00405C9A, 00405EC2
</script>, xrefs: 00405E55
%sself.parent.location="%s";, xrefs: 00405D7B

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s$%s<title>%s%u</title>$%sself.parent.location="%s";$%ssetTimeout("x()",%u);$.htm$</body><html>$</head>$</script>$<body>$<head>$<html>$<script>$MicroSoft-Corp$function x()
API String ID: 0-3565490566
Opcode ID: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction ID: ecef72a497013a68274156d69e2e9c2b12a360589a31295beaaee68410b4578e
Opcode Fuzzy Hash: 83e37099b3124e531f67f997f949e5de56b932ab7ba4f4acca814a6a5f304b92
Instruction Fuzzy Hash: F7B109B6F1033416DB10A2B28D8AF6E316F9B94704F5404BFF548B61C2EE7C5A158EB9

Function 00405F4E Relevance: 11.5, Strings: 9, Instructions: 244COMMON

Download Yara Rule

Strings

MicroSoft-Corp, xrefs: 00406128
X-okRecv11, xrefs: 004061B4
Software\Microsoft\IE Setup\Setup, xrefs: 00405FF2
<HTML><!--, xrefs: 0040622D, 00406238, 0040624A
%s%u - Microsoft Internet Explorer, xrefs: 0040612D
\Iexplore.exe , xrefs: 00406048
IEFrame, xrefs: 0040615D
D, xrefs: 0040609F
Path, xrefs: 00405FED

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$<HTML><!--$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-1993706416
Opcode ID: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction ID: f86b42180340aba0ef21c6f6f3d5a6db275e4709594fa0425bcdf0905d23bd19
Opcode Fuzzy Hash: 1275d07c0916675ef8c1e2e965c1bcef3e5608d173af875ea65dfcd0c1debcea
Instruction Fuzzy Hash: 338199B2E042186FDB20A665CD46BDDB6BD9B50304F1500FBB248F61D1EAB95E848F68

Function 0040544C Relevance: 10.2, Strings: 8, Instructions: 244COMMON

Download Yara Rule

Strings

D, xrefs: 0040566E
MicroSoft-Corp, xrefs: 00405700
X-okRecv11, xrefs: 0040578F
Software\Microsoft\IE Setup\Setup, xrefs: 00405583
%s%u - Microsoft Internet Explorer, xrefs: 00405705
\Iexplore.exe , xrefs: 0040561A
IEFrame, xrefs: 0040572F
Path, xrefs: 0040557E

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: %s%u - Microsoft Internet Explorer$D$IEFrame$MicroSoft-Corp$Path$Software\Microsoft\IE Setup\Setup$X-okRecv11$\Iexplore.exe
API String ID: 0-4162506727
Opcode ID: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction ID: bfef76be8c6250f963810c08064b3c439a798be1b072d184861979f5e90c2c55
Opcode Fuzzy Hash: f912ceaa173627be758530db1c20ee7ecf5cd416766e27caf0427cd22e122522
Instruction Fuzzy Hash: 8091C371E052189ADF20AB65CD89BDAB7B9AF40304F1040FAF24CB71D1DAB95E858F58

Function 004053B4 Relevance: 8.8, Strings: 7, Instructions: 47COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00405418
yes, xrefs: 00405427
GlobalUserOffline, xrefs: 00405413
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess, xrefs: 00405431
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u, xrefs: 004053DA
1601, xrefs: 004053ED
BrowseNewProcess, xrefs: 0040542C

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess$1601$BrowseNewProcess$GlobalUserOffline$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u$Software\Microsoft\Windows\CurrentVersion\Internet Settings$yes
API String ID: 0-546450379
Opcode ID: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction ID: 045cd1c3fcbb6a25a0c50820c997f661b02dfad8945370c2bd26c2a271c0ca19
Opcode Fuzzy Hash: af266cde35b0328358cba03d8b622884ebe1fce19c2ded690b8778cd658e366c
Instruction Fuzzy Hash: 66017D71F8C3483AE700A16A1C02FAAB1DE47F0714F6A00A7B941F21C2E4FD8556422D

Function 00402A82 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

RtlInitUnicodeString, xrefs: 00402AAC
NtMapViewOfSection, xrefs: 00402AE8
NtOpenSection, xrefs: 00402AD8
RtlNtStatusToDosError, xrefs: 00402AF8
ntdll.dll, xrefs: 00402AA0
NtUnmapViewOfSection, xrefs: 00402ABC

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 0-1987783197
Opcode ID: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction ID: 18f505ef75de8eb7f295250b341c4ae53e960f0273b835e5a120c96ee44c48b4
Opcode Fuzzy Hash: 1e91f7cbfd64cdd33af07b6010e143518a2379bccf8ab8039e358c951f7cdec6
Instruction Fuzzy Hash: E6F0D6B0B006107A9700BB65AD52A3A3BFCD681784790443FF800E7285DB7C0C0357DC

Function 00403A68 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

TXT: '%s', xrefs: 00403AEA
[length=%i] [summ=%i], xrefs: 00403A98
%02X , xrefs: 00403AC2
HEX: , xrefs: 00403AAC

Memory Dump Source

Source File: 00000012.00000002.1527519576.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1527254679.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527733036.000000000042B000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527842787.000000000042F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1527954079.0000000000430000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528164391.0000000000431000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000012.00000002.1528273409.0000000000432000.00000080.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_Nfmigk32.jbxd

Yara matches

Similarity

API ID:
String ID: TXT: '%s'$%02X $HEX: $[length=%i] [summ=%i]
API String ID: 0-3196696996
Opcode ID: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction ID: 9e5e33ad8d24632ff6b51cf5e3ff57e107248be7fabeceaae62f3242e8ce4223
Opcode Fuzzy Hash: 4872b06915cc54c11f43013aff39191f58f842b13eda3b2ceca468cfd4097b17
Instruction Fuzzy Hash: C2119671F00214EEDB00DFA6C84166EBFE8EB41319F20407FE496B3281D6785B419BA5

Analysis Process: Nnhnkmek.exePID: 8168, Parent PID: 8148COMMON

Executed Functions

Function 00407947 Relevance: 22.9, Strings: 18, Instructions: 389COMMON

Download Yara Rule

Strings

3, xrefs: 00407AB6
kk32.vxd, xrefs: 00407B74
Software\Microsoft, xrefs: 00407E24
REAL CASH, REAL BITCHEZ - CRUTOP.NU, xrefs: 00407BF6
frm2, xrefs: 00407E1F
%s\%s, xrefs: 00407B4B, 00407B7E, 00407BB1, 00407BDE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE, xrefs: 00407BC6
KingKarton_10, xrefs: 00407968, 00407D9A
dnkk.dll, xrefs: 00407BA7
surf.dat, xrefs: 00407BD4
RegisterServiceProcess, xrefs: 00407DC8
KingKarton, xrefs: 00407CE9, 00407D84, 00407D89
Welcome to our forum, Adult Web Masters! http://crutop.nu, xrefs: 00407B93
%s\%s.exe, xrefs: 00407AD6
kernel32.dll, xrefs: 00407DBE
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu, xrefs: 00407B66
kk32.dll, xrefs: 00407B41
2, xrefs: 00407ABD

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s$%s\%s.exe$2$3$AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE$KingKarton$KingKarton_10$REAL CASH, REAL BITCHEZ - CRUTOP.NU$RegisterServiceProcess$Software\Microsoft$This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu$Welcome to our forum, Adult Web Masters! http://crutop.nu$dnkk.dll$frm2$kernel32.dll$kk32.dll$kk32.vxd$surf.dat
API String ID: 0-359615422
Opcode ID: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction ID: d99c572b43184256b30da78571679c64629d4dddb4952b4c37d2302778154b44
Opcode Fuzzy Hash: 8237beac77b0d10438c126ec969e7a47f7c40204ada38d69ca4331d4012d5e11
Instruction Fuzzy Hash: FAD11571F443196AEB10EBA5CD82FDE77B9AB04704F50007AF644F62C2DABC6A458B5C

Function 00404274 Relevance: 12.6, Strings: 10, Instructions: 126COMMON

Download Yara Rule

Strings

{79FEACFF-FFCE-815E-A900-316290B5B738}, xrefs: 00404295, 004043B1, 00404407
CLSID\%s\InProcServer32, xrefs: 004043B2
ThreadingModel, xrefs: 004043F1
Web Event Logger, xrefs: 00404408
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, xrefs: 0040440D
%s\%s.dll, xrefs: 0040433C
3, xrefs: 00404316
2, xrefs: 0040431D
Apartment, xrefs: 004043EC
Ninbhfea, xrefs: 00404377, 0040437C

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID: %s\%s.dll$2$3$Apartment$CLSID\%s\InProcServer32$Ninbhfea$Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad$ThreadingModel$Web Event Logger${79FEACFF-FFCE-815E-A900-316290B5B738}
API String ID: 0-2119604149
Opcode ID: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction ID: b1eb2fd8619c0f5332e2fc1c109321bdc0a5a72ea524b7a28ef6311c0bacf820
Opcode Fuzzy Hash: 79ae1412a96609c42fae170f613dc920b9265b8abc9c3b6f74a3b052eed8ce34
Instruction Fuzzy Hash: 29418072B442287AD71097759D05FEA76AD8B84304F9441FBF948F61C2DAFC4E448B58

Function 00403FD6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction ID: d893a724b973f6b300f1f90bf6408cf7de74a5d241e85eb53f172de2f6b66e7a
Opcode Fuzzy Hash: dc45866d92f4e85baffedd43402507960907c6fd40df6c1d27c125f00d268f26
Instruction Fuzzy Hash: 11818D72B102199FCB10CB69DD41A9E7BF6EF88314F58407AE940E7390D738A9068BD8

Function 004038B1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction ID: 56b6bc3ca208c7d323cb0ffe23fd67ce3ef4db985304c1923eeed0e42bceedcc
Opcode Fuzzy Hash: 6b924db7240ba4884ccc5f65f55ff5d84d7105bb1917b8a277eeb87bee4bf0fd
Instruction Fuzzy Hash: 2611A771A00208BFEB11AE69CD02B9E7AB8EB44324F104436F654FB2D0D7B89F018B58

Function 004089DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction ID: f50f6994f9d4743f7f09d28a5fbba07362e80a439f55b4cc057ecb1d85c64633
Opcode Fuzzy Hash: e57bf12108196fd4bfaaf97a20b9016804823d83b4828ecad6d602978932d6f6
Instruction Fuzzy Hash: 4BF0C851B5418125EF3062755E4673A66885781360F24147FE4C1F69C2EEBC8C435A2D

Function 0040442A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction ID: 970005859db872574eb109b16362f2b112b6b3249e0ac1441891fc1ccd5c1d5e
Opcode Fuzzy Hash: 3bea19cc88b94adf996164719701ed6109cc0572fbd8340940f7eb8aae431b79
Instruction Fuzzy Hash: 6801A272A00108BFEF119AA5CD02FEE7A7AEF40764F240165B604B61E1C7B15E119798

Function 00401219 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction ID: efdbb495418bafdee7413346ec2770e953b39c0151baa76b2ad9fdf9eb4f5579
Opcode Fuzzy Hash: 408e6f8472abe8a1ed2ad031724aab2943c35bbe0efebcf34be81f71a210fe44
Instruction Fuzzy Hash: EDF09671B40304BADB226B55DD03F2B7BA8EB04B18F90002EF6A4612D1DB7D541596DE

Function 0040121F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1527036920.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1526928769.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527145102.000000000042B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527261670.000000000042F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527593649.0000000000430000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527756391.0000000000431000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000013.00000002.1527868270.0000000000432000.00000080.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Nnhnkmek.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction ID: 13cc777e82b38d2af0e40a0d9113dd2aaaa1d28fe08837aaa69cdb71dea79015
Opcode Fuzzy Hash: 1b5235fb3cb153f1c87f5a7e1ab26fcb29b1fb070ed25a3087ac6e958182d0c0
Instruction Fuzzy Hash: B0F0BB70F40304BADA217B15DD03F2B7BA8EB04B18F90002EF6A4712D1DB7D541556DE

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f6t9qa761D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SysWOW64\Abagca32.dll

C:\Windows\SysWOW64\Abgiogom.exe

C:\Windows\SysWOW64\Abnopf32.exe

C:\Windows\SysWOW64\Afeaee32.exe

C:\Windows\SysWOW64\Aiejgqbd.exe

C:\Windows\SysWOW64\Akecacdm.dll

C:\Windows\SysWOW64\Apmfnklc.exe

C:\Windows\SysWOW64\Beadgadc.exe

C:\Windows\SysWOW64\Bkmjkjhd.dll

C:\Windows\SysWOW64\Bmfpbogh.exe

C:\Windows\SysWOW64\Boepdgoi.exe

C:\Windows\SysWOW64\Caghjf32.dll

C:\Windows\SysWOW64\Cboabb32.dll

C:\Windows\SysWOW64\Cjemgabj.dll

C:\Windows\SysWOW64\Clajoglf.dll

C:\Windows\SysWOW64\Doaepp32.dll

C:\Windows\SysWOW64\Eakcoodc.dll

C:\Windows\SysWOW64\Eeflcm32.dll

Windows Analysis Report
f6t9qa761D.exe