Windows Analysis Report
nKHN8rvjmN.exe

Overview

General Information

Sample name:	nKHN8rvjmN.exe renamed because original name is a hash value
Original sample name:	2545b47e98ffb00e68912dbedcb8f5db.exe
Analysis ID:	1523562
MD5:	2545b47e98ffb00e68912dbedcb8f5db
SHA1:	0612d0f4417ebb63e52ad1da47db3209e848332a
SHA256:	18240be396f8b7a2a28669dfb20f4fb311daf0b1fd4c1d81df26d7f8419444d4
Tags:	exenjratRATuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Disables the Windows task manager (taskmgr)

Disables zone checking for all users

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nKHN8rvjmN.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explore.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "SQWICK", "Version": "0.7d", "Install Name": "32cf646479fb52a6cecce80a3bf8d7de", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Explore.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\server.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Documents\Explore.exe	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Explore.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: nKHN8rvjmN.exe

ReversingLabs: Detection: 86%

Yara detected Njrat

Source: Yara match	File source: nKHN8rvjmN.exe, type: SAMPLE
Source: Yara match	File source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nKHN8rvjmN.exe PID: 3304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Explore.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explore.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nKHN8rvjmN.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: nKHN8rvjmN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source: nKHN8rvjmN.exe, Usb1.cs	.Net Code: infect
Source: server.exe.0.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe.2.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe0.2.dr, Usb1.cs	.Net Code: infect
Source: StUpdate.exe.2.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe1.2.dr, Usb1.cs	.Net Code: infect
Source: Microsoft Corporation.exe.2.dr, Usb1.cs	.Net Code: infect
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe2.2.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe3.2.dr, Usb1.cs	.Net Code: infect
Source: Explore.exe4.2.dr, Usb1.cs	.Net Code: infect

Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: nKHN8rvjmN.exe	Binary or memory string: \autorun.inf
Source: nKHN8rvjmN.exe	Binary or memory string: [autorun]
Source: nKHN8rvjmN.exe	Binary or memory string: autorun.inf
Source: StUpdate.exe.2.dr	Binary or memory string: \autorun.inf
Source: StUpdate.exe.2.dr	Binary or memory string: [autorun]
Source: StUpdate.exe.2.dr	Binary or memory string: autorun.inf
Source: Explore.exe1.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe1.2.dr	Binary or memory string: [autorun]
Source: Explore.exe1.2.dr	Binary or memory string: autorun.inf
Source: Microsoft Corporation.exe.2.dr	Binary or memory string: \autorun.inf
Source: Microsoft Corporation.exe.2.dr	Binary or memory string: [autorun]
Source: Microsoft Corporation.exe.2.dr	Binary or memory string: autorun.inf
Source: Explore.exe0.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe0.2.dr	Binary or memory string: [autorun]
Source: Explore.exe0.2.dr	Binary or memory string: autorun.inf
Source: Explore.exe4.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe4.2.dr	Binary or memory string: [autorun]
Source: Explore.exe4.2.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf
Source: Explore.exe2.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe2.2.dr	Binary or memory string: [autorun]
Source: Explore.exe2.2.dr	Binary or memory string: autorun.inf
Source: Explore.exe.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe.2.dr	Binary or memory string: [autorun]
Source: Explore.exe.2.dr	Binary or memory string: autorun.inf
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr	Binary or memory string: \autorun.inf
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr	Binary or memory string: [autorun]
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr	Binary or memory string: autorun.inf
Source: Explore.exe3.2.dr	Binary or memory string: \autorun.inf
Source: Explore.exe3.2.dr	Binary or memory string: [autorun]
Source: Explore.exe3.2.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49706 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49704 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49704 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49706 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49720 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49720 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49709 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49724 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49733 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49724 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49709 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49734 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49718 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49752 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49718 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49734 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49719 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49719 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49723 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49741 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49741 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49760 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49760 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49737 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49737 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49752 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49733 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49723 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49749 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49749 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49725 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49722 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49715 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49740 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49728 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49721 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49739 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49738 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49739 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49715 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49751 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49726 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49751 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49726 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49728 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49730 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49725 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49730 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49754 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49754 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49721 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49722 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49705 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49738 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49705 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49729 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49721 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49729 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49731 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49734 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49740 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49736 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49743 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49736 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49735 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49717 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49717 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49735 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49743 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49731 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49753 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49753 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49747 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49747 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49761 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49742 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49742 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49714 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49714 -> 3.67.161.133:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49748 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49759 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49732 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49746 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49746 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49744 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49746 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49748 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49745 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49744 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49761 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49758 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49759 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49758 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49759 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49757 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49757 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49732 -> 18.158.58.205:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49745 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49755 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49756 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49756 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49755 -> 3.64.4.198:14355
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49750 -> 3.127.181.115:14355
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49750 -> 3.127.181.115:14355

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 3.67.161.133:14355
Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 18.158.58.205:14355
Source: global traffic	TCP traffic: 192.168.2.5:49744 -> 3.127.181.115:14355
Source: global traffic	TCP traffic: 192.168.2.5:49752 -> 3.64.4.198:14355

Source: Joe Sandbox View	IP Address: 18.158.58.205 18.158.58.205
Source: Joe Sandbox View	IP Address: 3.64.4.198 3.64.4.198
Source: Joe Sandbox View	IP Address: 3.127.181.115 3.127.181.115
Source: Joe Sandbox View	IP Address: 3.67.161.133 3.67.161.133

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Source: nKHN8rvjmN.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: nKHN8rvjmN.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: nKHN8rvjmN.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: nKHN8rvjmN.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explore.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0155BDCA NtQuerySystemInformation,		2_2_0155BDCA
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0155BD99 NtQuerySystemInformation,		2_2_0155BD99

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874298	0_2_04874298
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04875000	0_2_04875000
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_0487470F	0_2_0487470F
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874C8F	0_2_04874C8F
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874291	0_2_04874291
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874F9D	0_2_04874F9D
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_0487499D	0_2_0487499D
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874F2F	0_2_04874F2F
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874936	0_2_04874936
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874630	0_2_04874630
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874544	0_2_04874544
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_048747D4	0_2_048747D4
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_0487505D	0_2_0487505D
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04874B5B	0_2_04874B5B
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_04875459	0_2_04875459
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_048750E3	0_2_048750E3
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_0487536F	0_2_0487536F
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_048744F1	0_2_048744F1
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Code function: 0_2_048749F9	0_2_048749F9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05727900	2_2_05727900
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_057274C7	2_2_057274C7
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05724290	2_2_05724290
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0572427F	2_2_0572427F

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0155BC4E AdjustTokenPrivileges,		2_2_0155BC4E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0155BC17 AdjustTokenPrivileges,		2_2_0155BC17

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\32cf646479fb52a6cecce80a3bf8d7de
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\nKHN8rvjmN.exe "C:\Users\user\Desktop\nKHN8rvjmN.exe"
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe	Jump to behavior

Source: nKHN8rvjmN.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe0.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: StUpdate.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe1.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Microsoft Corporation.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe2.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe3.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explore.exe4.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Windows\SysWOW64\Explore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Temp\StUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\Documents\Explore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	File created: C:\Users\user\AppData\Local\Temp\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Program Files (x86)\Explore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exe	Jump to dropped file

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Memory allocated: A60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 3520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 5520000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 76E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 8A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 8E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 9E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 9E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: AF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: BF60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: C400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: D400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: E400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: C400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: F580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 10580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 9BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: AF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: E400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 11580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 12580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 13580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 14580000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 14EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 15EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 16EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 17EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 18EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 19EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1BEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1CEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1DEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1EEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 1FEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 20EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 21EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 22EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 23EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 24EC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 26140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 27140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 28140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 29140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2A140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2B140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 13980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 14980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 15980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 16980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: FD80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 10D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 11D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 17980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 18980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 19980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2C140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2D140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2E140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 2F140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Memory allocated: 2C20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Memory allocated: 14A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 3470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 5470000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 2289	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 1884	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 404	Jump to behavior

Source: C:\Users\user\Desktop\nKHN8rvjmN.exe TID: 5956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3556	Thread sleep time: -1144500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3556	Thread sleep time: -942000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe TID: 5560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 2136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Windows Analysis Report nKHN8rvjmN.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
nKHN8rvjmN.exe

Malware Threat Intel
Provided by

Source: server.exe, 00000002.00000002.4452062075.000000000163B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.2046412720.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.2093561425.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netsh.exe, 00000005.00000003.2084636306.0000000003741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 15:18:50 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:21:53 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:37 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 04:58:15 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:24 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:56 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\Ol
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 01:05:29 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:08 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:15 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:40 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:29 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:23 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:05:49 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:30 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:20 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:21:57 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:16 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:22 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:04 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/03 \| 21:37:25 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:51 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:41 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:00:28 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:31 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:49:46 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:21:56 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:53 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:03 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 00:47:57 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030970856.0000000004ACB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: "dProgram Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 04:51:07 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030970856.0000000004ACB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:46 - Program Manager
Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.dr	Binary or memory string: ProgMan
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:34 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:57:34 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:08:17 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:19 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:06 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:42:41 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 06:39:16 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:21 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 16:32:19 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 16:38:25 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:39 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:46 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:00:13 - Program Manager
Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:51 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 16:55:44 - Program Manager
Source: Microsoft Corporation.exe, 00000013.00000002.2371091247.00000000058BB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: dProgram Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:22:38 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:09 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:21:54 - Program Manager
Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.dr	Binary or memory string: Shell_TrayWnd
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:15 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -ledProgram Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:21 - Program Manager
Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:21:52 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:35 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:22:25 - Program Manager
Source: server.exe, 00000002.00000002.4452062075.000000000163B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Manager$
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:02 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 14:13:29 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 16:09:07 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:23:16 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/04 \| 07:06:19 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:24:28 - Program Manager
Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/10/01 \| 13:27:41 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: nKHN8rvjmN.exe, Fransesco.cs	.Net Code: INS
Source: server.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe.2.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe0.2.dr, Fransesco.cs	.Net Code: INS
Source: StUpdate.exe.2.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe1.2.dr, Fransesco.cs	.Net Code: INS
Source: Microsoft Corporation.exe.2.dr, Fransesco.cs	.Net Code: INS
Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe2.2.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe3.2.dr, Fransesco.cs	.Net Code: INS
Source: Explore.exe4.2.dr, Fransesco.cs	.Net Code: INS

IP	Domain	Country	ASN	ASN Name	Malicious
18.158.58.205	unknown	United States	16509	AMAZON-02US	true
3.64.4.198	unknown	United States	16509	AMAZON-02US	true
3.127.181.115	unknown	United States	16509	AMAZON-02US	true
3.67.161.133	5.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true

ID:	1523562
Product:	CloudBasic
Start time:	19:21:06
Start date:	01.10.2024
Sample:	nKHN8rvjmN.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2545b47e98ffb00e68912dbedcb8f5db
SHA1:	0612d0f4417ebb63e52ad1da47db3209e848332a
SHA256:	18240be396f8b7a2a28669dfb20f4fb311daf0b1fd4c1d81df26d7f8419444d4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explore.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nKHN8rvjmN.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Local\Temp\StUpdate.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Local\Temp\server.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Users\user\AppData\Roaming\app	Unicode text, UTF-8 (with BOM) text, with no line terminators	4D853D9C7197EE7FA81C6535B1F7D655	EAC3D866E991967B385F3DD22DA25E410D8F7F49	5ABDB6175F820F0AC3D8647FBB1F7A0BCC91757A782A8A145570944CA6A00C96
C:\Users\user\Documents\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
C:\Windows\SysWOW64\Explore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2545B47E98FFB00E68912DBEDCB8F5DB	0612D0F4417EBB63E52AD1DA47DB3209E848332A	18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
\Device\ConDrv	ASCII text, with CRLF line terminators	689E2126A85BF55121488295EE068FA1	09BAAA253A49D80C18326DFBCA106551EBF22DD6	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25