Loading ...

Play interactive tourEdit tour

Analysis Report e3CtV2Nw.exe

Overview

General Information

Sample Name:e3CtV2Nw.exe
Analysis ID:289659
MD5:a9620469a4b9a1b7c77aab3e946187f7
SHA1:06e7e5fd7d1e545916e8eb061b8be281454b03d8
SHA256:46fa7b3768b1f91187f59fb97a88e1efbbe603dc88419c73da07c627e9d57f74
Tags:exenjRat

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • e3CtV2Nw.exe (PID: 5816 cmdline: 'C:\Users\user\Desktop\e3CtV2Nw.exe' MD5: A9620469A4B9A1B7C77AAB3E946187F7)
    • domty.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Roaming\domty.exe' MD5: A9620469A4B9A1B7C77AAB3E946187F7)
      • netsh.exe (PID: 6872 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • domty.exe (PID: 4884 cmdline: 'C:\Users\user\AppData\Roaming\domty.exe' .. MD5: A9620469A4B9A1B7C77AAB3E946187F7)
  • domty.exe (PID: 5744 cmdline: 'C:\Users\user\AppData\Roaming\domty.exe' .. MD5: A9620469A4B9A1B7C77AAB3E946187F7)
  • domty.exe (PID: 4464 cmdline: 'C:\Users\user\AppData\Roaming\domty.exe' .. MD5: A9620469A4B9A1B7C77AAB3E946187F7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
e3CtV2Nw.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4da9:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4f01:$s3: Executed As
  • 0x4ee3:$s6: Download ERROR
e3CtV2Nw.exeJoeSecurity_NjratYara detected NjratJoe Security
    e3CtV2Nw.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4e17:$a1: netsh firewall add allowedprogram
    • 0x4de7:$a2: SEE_MASK_NOZONECHECKS
    • 0x5091:$b1: [TAP]
    • 0x4da9:$c3: cmd.exe /c ping
    e3CtV2Nw.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4de7:$reg: SEE_MASK_NOZONECHECKS
    • 0x4ebf:$msg: Execute ERROR
    • 0x4f1b:$msg: Execute ERROR
    • 0x4da9:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\domty.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4da9:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4f01:$s3: Executed As
    • 0x4ee3:$s6: Download ERROR
    C:\Users\user\AppData\Roaming\domty.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\domty.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4e17:$a1: netsh firewall add allowedprogram
      • 0x4de7:$a2: SEE_MASK_NOZONECHECKS
      • 0x5091:$b1: [TAP]
      • 0x4da9:$c3: cmd.exe /c ping
      C:\Users\user\AppData\Roaming\domty.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4de7:$reg: SEE_MASK_NOZONECHECKS
      • 0x4ebf:$msg: Execute ERROR
      • 0x4f1b:$msg: Execute ERROR
      • 0x4da9:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x4da9:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x4f01:$s3: Executed As
      • 0x4ee3:$s6: Download ERROR
      Click to see the 3 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x1008:$a1: netsh firewall add allowedprogram
        • 0x706b:$a1: netsh firewall add allowedprogram
        • 0xfb8:$a2: SEE_MASK_NOZONECHECKS
        • 0x703b:$a2: SEE_MASK_NOZONECHECKS
        • 0x72e5:$b1: [TAP]
        • 0x6ffd:$c3: cmd.exe /c ping
        00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0xfb8:$reg: SEE_MASK_NOZONECHECKS
        • 0x703b:$reg: SEE_MASK_NOZONECHECKS
        • 0x7113:$msg: Execute ERROR
        • 0x716f:$msg: Execute ERROR
        • 0x6ffd:$ping: cmd.exe /c ping 0 -n 2 & del
        0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x4c17:$a1: netsh firewall add allowedprogram
          • 0x4be7:$a2: SEE_MASK_NOZONECHECKS
          • 0x4e91:$b1: [TAP]
          • 0x4ba9:$c3: cmd.exe /c ping
          Click to see the 33 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.0.domty.exe.f0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
          • 0x4da9:$x1: cmd.exe /c ping 0 -n 2 & del "
          • 0x4f01:$s3: Executed As
          • 0x4ee3:$s6: Download ERROR
          12.0.domty.exe.f0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            12.0.domty.exe.f0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4e17:$a1: netsh firewall add allowedprogram
            • 0x4de7:$a2: SEE_MASK_NOZONECHECKS
            • 0x5091:$b1: [TAP]
            • 0x4da9:$c3: cmd.exe /c ping
            12.0.domty.exe.f0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x4de7:$reg: SEE_MASK_NOZONECHECKS
            • 0x4ebf:$msg: Execute ERROR
            • 0x4f1b:$msg: Execute ERROR
            • 0x4da9:$ping: cmd.exe /c ping 0 -n 2 & del
            0.2.e3CtV2Nw.exe.50000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4da9:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4f01:$s3: Executed As
            • 0x4ee3:$s6: Download ERROR
            Click to see the 35 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Netsh Port or Application AllowedShow sources
            Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\domty.exe' , ParentImage: C:\Users\user\AppData\Roaming\domty.exe, ParentProcessId: 5712, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLE, ProcessId: 6872

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: e3CtV2Nw.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\domty.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeVirustotal: Detection: 83%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\AppData\Roaming\domty.exeVirustotal: Detection: 83%Perma Link
            Source: C:\Users\user\AppData\Roaming\domty.exeReversingLabs: Detection: 89%
            Multi AV Scanner detection for submitted fileShow sources
            Source: e3CtV2Nw.exeVirustotal: Detection: 83%Perma Link
            Source: e3CtV2Nw.exeReversingLabs: Detection: 89%
            Yara detected NjratShow sources
            Source: Yara matchFile source: e3CtV2Nw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 4884, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 4464, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 5744, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 5712, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e3CtV2Nw.exe PID: 5816, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPED
            Source: Yara matchFile source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\domty.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: e3CtV2Nw.exeJoe Sandbox ML: detected
            Source: 1.0.domty.exe.be0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 12.2.domty.exe.f0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 12.0.domty.exe.f0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 13.2.domty.exe.660000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 13.0.domty.exe.660000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 1.2.domty.exe.be0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 8.2.domty.exe.a0000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 8.0.domty.exe.a0000.0.unpackAvira: Label: TR/Dropper.Gen7

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49729 -> 91.109.186.4:1177
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: ronymahmoudn.ddns.net
            Source: global trafficTCP traffic: 192.168.2.3:49729 -> 91.109.186.4:1177
            Source: Joe Sandbox ViewASN Name: IELOIELOMainNetworkFR IELOIELOMainNetworkFR
            Source: unknownDNS traffic detected: queries for: ronymahmoudn.ddns.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: e3CtV2Nw.exe, kl.cs.Net Code: VKCodeToUnicode
            Source: domty.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 0af32282296cbea7a0582702966a56c9.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 1.0.domty.exe.be0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 1.2.domty.exe.be0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 8.2.domty.exe.a0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 8.0.domty.exe.a0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 12.2.domty.exe.f0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 12.0.domty.exe.f0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 13.2.domty.exe.660000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 13.0.domty.exe.660000.0.unpack, kl.cs.Net Code: VKCodeToUnicode

            E-Banking Fraud:

            barindex
            Yara detected NjratShow sources
            Source: Yara matchFile source: e3CtV2Nw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 4884, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 4464, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 5744, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: domty.exe PID: 5712, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e3CtV2Nw.exe PID: 5816, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPED
            Source: Yara matchFile source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPE

            Operating System Destruction:

            barindex
            Protects its processes via BreakOnTermination flagShow sources
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_013DBC42 NtSetInformationProcess,1_2_013DBC42
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_013DBC20 NtSetInformationProcess,1_2_013DBC20
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_0541315A NtQuerySystemInformation,1_2_0541315A
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_0541311F NtQuerySystemInformation,1_2_0541311F
            Source: e3CtV2Nw.exe, 00000000.00000002.369114508.00000000048B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs e3CtV2Nw.exe
            Source: e3CtV2Nw.exe, 00000000.00000002.369209966.00000000049B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs e3CtV2Nw.exe
            Source: e3CtV2Nw.exe, 00000000.00000002.369209966.00000000049B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs e3CtV2Nw.exe
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: e3CtV2Nw.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.369063239.0000000002865000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0000000D.00000002.455795631.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000008.00000000.409459970.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000001.00000000.367926961.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.368219991.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0000000C.00000002.438310746.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000000.352364512.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000008.00000002.420854036.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0000000D.00000000.444383446.0000000000662000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000001.00000002.618693666.0000000000BE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0000000C.00000000.426926648.00000000000F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\domty.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 12.0.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 13.2.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 13.0.domty.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 1.0.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 12.2.domty.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 1.2.domty.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 8.0.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 8.2.domty.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@1/1
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_013DB8F2 AdjustTokenPrivileges,1_2_013DB8F2
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_013DB8BB AdjustTokenPrivileges,1_2_013DB8BB
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeFile created: C:\Users\user\AppData\Roaming\domty.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\domty.exeMutant created: \Sessions\1\BaseNamedObjects\0af32282296cbea7a0582702966a56c9
            Source: e3CtV2Nw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: e3CtV2Nw.exeVirustotal: Detection: 83%
            Source: e3CtV2Nw.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeFile read: C:\Users\user\Desktop\e3CtV2Nw.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\e3CtV2Nw.exe 'C:\Users\user\Desktop\e3CtV2Nw.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\domty.exe 'C:\Users\user\AppData\Roaming\domty.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLE
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\domty.exe 'C:\Users\user\AppData\Roaming\domty.exe' ..
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\domty.exe 'C:\Users\user\AppData\Roaming\domty.exe' ..
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\domty.exe 'C:\Users\user\AppData\Roaming\domty.exe' ..
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess created: C:\Users\user\AppData\Roaming\domty.exe 'C:\Users\user\AppData\Roaming\domty.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\domty.exe' 'domty.exe' ENABLEJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: e3CtV2Nw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: e3CtV2Nw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: e3CtV2Nw.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: domty.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.e3CtV2Nw.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.e3CtV2Nw.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0af32282296cbea7a0582702966a56c9.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.domty.exe.be0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.domty.exe.be0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.2.domty.exe.a0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.0.domty.exe.a0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 12.2.domty.exe.f0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 12.0.domty.exe.f0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 13.2.domty.exe.660000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 13.0.domty.exe.660000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeCode function: 0_2_00055021 push cs; ret 0_2_00055022
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 1_2_00BE5021 push cs; ret 1_2_00BE5022
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 8_2_000A5021 push cs; ret 8_2_000A5022
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 12_2_000F5021 push cs; ret 12_2_000F5022
            Source: C:\Users\user\AppData\Roaming\domty.exeCode function: 13_2_00665021 push cs; ret 13_2_00665022
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeFile created: C:\Users\user\AppData\Roaming\domty.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\domty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious namesShow sources
            Source: C:\Users\user\AppData\Roaming\domty.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0af32282296cbea7a0582702966a56c9Jump to behavior
            Drops PE files to the startup folderShow sources
            Source: C:\Users\user\AppData\Roaming\domty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\domty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0af32282296cbea7a0582702966a56c9.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0af32282296cbea7a0582702966a56c9Jump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0af32282296cbea7a0582702966a56c9Jump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e3CtV2Nw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\domty.exeProcess information set: NOOPENFILEERRORBOX