Source: Yara match | File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match | File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match | File source: C:\svchost.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp | Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp | Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp | Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp | Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp | Binary or memory string: [autorun] |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp | Binary or memory string: autorun.inf |
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: autorun.inf |
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp | Binary or memory string: autorun.inf |
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: autorun.inf |
Source: System.exe | Binary or memory string: [autorun] |
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp | Binary or memory string: autorun.inf |
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp | Binary or memory string: [autorun] |
Source: System.exe | Binary or memory string: autorun.inf |
Source: System.exe | Binary or memory string: [autorun] |
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp | Binary or memory string: autorun.inf |
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp | Binary or memory string: [autorun] |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Binary or memory string: autorun.inf |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Binary or memory string: [autorun] |
Source: System.exe.0.dr | Binary or memory string: autorun.inf |
Source: System.exe.0.dr | Binary or memory string: [autorun] |
Source: autorun.inf.4.dr | Binary or memory string: [autorun] |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr | Binary or memory string: autorun.inf |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr | Binary or memory string: [autorun] |
Source: svchost.exe.4.dr | Binary or memory string: autorun.inf |
Source: svchost.exe.4.dr | Binary or memory string: [autorun] |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49753 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49754 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49755 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49758 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49759 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49760 -> 3.13.191.225:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49761 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49762 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49763 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49765 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49767 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49770 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49771 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49773 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49778 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49799 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49803 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49813 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49816 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49818 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49819 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49820 -> 3.17.7.232:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49821 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49822 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49823 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49825 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49826 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49840 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49851 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49852 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49857 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49858 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49859 -> 3.13.191.225:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49860 -> 3.13.191.225:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49861 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49862 -> 3.14.182.203:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49864 -> 3.134.125.175:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49865 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49866 -> 3.22.30.40:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49867 -> 3.13.191.225:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49868 -> 3.13.191.225:13467 |
Source: Traffic | Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49869 -> 3.22.30.40:13467 |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs | .Net Code: VKCodeToUnicode |
Source: System.exe.0.dr, kl.cs | .Net Code: VKCodeToUnicode |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs | .Net Code: VKCodeToUnicode |
Source: svchost.exe.4.dr, kl.cs | .Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 4.2.System.exe.c70000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.2.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.3.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 4.0.System.exe.c70000.1.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 9.0.System.exe.f50000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 9.2.System.exe.f50000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 11.0.System.exe.50000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 11.2.System.exe.50000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 12.0.System.exe.510000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 12.2.System.exe.510000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: Yara match | File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match | File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match | File source: C:\svchost.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\svchost.exe, type: DROPPED | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\svchost.exe, type: DROPPED | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\AppData\Roaming\System.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: System.exe.0.dr, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: svchost.exe.4.dr, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 11.0.System.exe.50000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 11.2.System.exe.50000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 12.0.System.exe.510000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 12.2.System.exe.510000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\netsh.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\netsh.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\System.exe | Process information set: NOOPENFILEERRORBOX |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: System.exe.0.dr, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: System.exe.0.dr, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: svchost.exe.4.dr, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: svchost.exe.4.dr, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.2.System.exe.c70000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.2.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.3.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 4.0.System.exe.c70000.1.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9.0.System.exe.f50000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 9.2.System.exe.f50000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 11.0.System.exe.50000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 11.0.System.exe.50000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 11.2.System.exe.50000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 11.2.System.exe.50000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 12.0.System.exe.510000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 12.0.System.exe.510000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 12.2.System.exe.510000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 12.2.System.exe.510000.0.unpack, kl.cs | Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\System.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\SysWOW64\netsh.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\SysWOW64\netsh.exe | Queries volume information: C:\ VolumeInformation |
Source: Yara match | File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match | File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match | File source: C:\svchost.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs | .Net Code: njRat config detected |
Source: System.exe.0.dr, OK.cs | .Net Code: njRat config detected |
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs | .Net Code: njRat config detected |
Source: svchost.exe.4.dr, OK.cs | .Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 4.2.System.exe.c70000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.2.unpack, OK.cs | .Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.3.unpack, OK.cs | .Net Code: njRat config detected |
Source: 4.0.System.exe.c70000.1.unpack, OK.cs | .Net Code: njRat config detected |
Source: 9.0.System.exe.f50000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 9.2.System.exe.f50000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 11.0.System.exe.50000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 11.2.System.exe.50000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 12.0.System.exe.510000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: 12.2.System.exe.510000.0.unpack, OK.cs | .Net Code: njRat config detected |
Source: Yara match | File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE |
Source: Yara match | File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR |
Source: Yara match | File source: C:\svchost.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED |