Source: Yara match |
File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match |
File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match |
File source: C:\svchost.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp |
Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp |
Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp |
Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp |
Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp |
Binary or memory string: [autorun] |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp |
Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: autorun.inf |
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp |
Binary or memory string: autorun.inf |
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: autorun.inf |
Source: System.exe |
Binary or memory string: [autorun] |
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp |
Binary or memory string: autorun.inf |
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp |
Binary or memory string: [autorun] |
Source: System.exe |
Binary or memory string: autorun.inf |
Source: System.exe |
Binary or memory string: [autorun] |
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp |
Binary or memory string: autorun.inf |
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp |
Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Binary or memory string: [autorun] |
Source: System.exe.0.dr |
Binary or memory string: autorun.inf |
Source: System.exe.0.dr |
Binary or memory string: [autorun] |
Source: autorun.inf.4.dr |
Binary or memory string: [autorun] |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr |
Binary or memory string: autorun.inf |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr |
Binary or memory string: [autorun] |
Source: svchost.exe.4.dr |
Binary or memory string: autorun.inf |
Source: svchost.exe.4.dr |
Binary or memory string: [autorun] |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49753 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49754 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49755 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49758 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49759 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49760 -> 3.13.191.225:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49761 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49762 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49763 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49765 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49767 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49770 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49771 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49773 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49778 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49799 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49803 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49813 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49816 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49818 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49819 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49820 -> 3.17.7.232:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49821 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49822 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49823 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49825 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49826 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49840 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49851 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49852 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49857 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49858 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49859 -> 3.13.191.225:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49860 -> 3.13.191.225:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49861 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49862 -> 3.14.182.203:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49864 -> 3.134.125.175:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49865 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49866 -> 3.22.30.40:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49867 -> 3.13.191.225:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49868 -> 3.13.191.225:13467 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49869 -> 3.22.30.40:13467 |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs |
.Net Code: VKCodeToUnicode |
Source: System.exe.0.dr, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs |
.Net Code: VKCodeToUnicode |
Source: svchost.exe.4.dr, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 4.2.System.exe.c70000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.2.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.3.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.1.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 9.0.System.exe.f50000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 9.2.System.exe.f50000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 11.0.System.exe.50000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 11.2.System.exe.50000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 12.0.System.exe.510000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: 12.2.System.exe.510000.0.unpack, kl.cs |
.Net Code: VKCodeToUnicode |
Source: Yara match |
File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match |
File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match |
File source: C:\svchost.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\svchost.exe, type: DROPPED |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\svchost.exe, type: DROPPED |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: System.exe.0.dr, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: svchost.exe.4.dr, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 11.0.System.exe.50000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 11.2.System.exe.50000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 12.0.System.exe.510000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 12.2.System.exe.510000.0.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: System.exe.0.dr, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: System.exe.0.dr, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: svchost.exe.4.dr, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: svchost.exe.4.dr, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.2.System.exe.c70000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.2.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.3.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.1.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9.0.System.exe.f50000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9.2.System.exe.f50000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 11.0.System.exe.50000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 11.0.System.exe.50000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 11.2.System.exe.50000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 11.2.System.exe.50000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 12.0.System.exe.510000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 12.0.System.exe.510000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 12.2.System.exe.510000.0.unpack, OK.cs |
Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 12.2.System.exe.510000.0.unpack, kl.cs |
Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmp |
Binary or memory string: program managerH |
Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmp |
Binary or memory string: RhProgram Manager |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmp |
Binary or memory string: Program Manager |
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp |
Binary or memory string: Program Managerraq( |
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp |
Binary or memory string: Program Manager|9 |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp |
Binary or memory string: Program Manager< |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\System.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match |
File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match |
File source: C:\svchost.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs |
.Net Code: njRat config detected |
Source: System.exe.0.dr, OK.cs |
.Net Code: njRat config detected |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs |
.Net Code: njRat config detected |
Source: svchost.exe.4.dr, OK.cs |
.Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 11.0.System.exe.50000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 11.2.System.exe.50000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 12.0.System.exe.510000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: 12.2.System.exe.510000.0.unpack, OK.cs |
.Net Code: njRat config detected |
Source: Yara match |
File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match |
File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match |
File source: C:\svchost.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |