Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe

Overview

General Information

Sample Name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
Analysis ID:553248
MD5:70aca878bfaac1eaf7019eddd97fc877
SHA1:4997c055b582c71cbb3863c9523986b51a339797
SHA256:72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Drops fake system file at system root drive
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Creates autorun.inf (USB autostart)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe" MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
    • System.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Roaming\System.exe" MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
      • netsh.exe (PID: 2976 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • System.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • System.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • System.exe (PID: 5224 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "System.exe", "Port": "13467", "Mutex": "9156ea52d892a71a5c604fdd4141de82", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "im523", "Network Seprator": "|'|'|"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJoeSecurity_NjratYara detected NjratJoe Security
    72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x80de:$a1: netsh firewall add allowedprogram
    • 0x82d8:$b1: [TAP]
    • 0x827e:$b2: & exit
    • 0x824a:$c1: md.exe /k ping 0 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\svchost.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\svchost.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x80de:$a1: netsh firewall add allowedprogram
      • 0x82d8:$b1: [TAP]
      • 0x827e:$b2: & exit
      • 0x824a:$c1: md.exe /k ping 0 & del
      C:\Users\user\AppData\Roaming\System.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Roaming\System.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x80de:$a1: netsh firewall add allowedprogram
        • 0x82d8:$b1: [TAP]
        • 0x827e:$b2: & exit
        • 0x824a:$c1: md.exe /k ping 0 & del
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x7ede:$a1: netsh firewall add allowedprogram
            • 0x80d8:$b1: [TAP]
            • 0x807e:$b2: & exit
            • 0x804a:$c1: md.exe /k ping 0 & del
            0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
              0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x7ede:$a1: netsh firewall add allowedprogram
              • 0x80d8:$b1: [TAP]
              • 0x807e:$b2: & exit
              • 0x804a:$c1: md.exe /k ping 0 & del
              0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
                Click to see the 26 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.0.System.exe.c70000.1.unpackJoeSecurity_NjratYara detected NjratJoe Security
                  4.0.System.exe.c70000.1.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                  • 0x80de:$a1: netsh firewall add allowedprogram
                  • 0x82d8:$b1: [TAP]
                  • 0x827e:$b2: & exit
                  • 0x824a:$c1: md.exe /k ping 0 & del
                  9.2.System.exe.f50000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                    9.2.System.exe.f50000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                    • 0x80de:$a1: netsh firewall add allowedprogram
                    • 0x82d8:$b1: [TAP]
                    • 0x827e:$b2: & exit
                    • 0x824a:$c1: md.exe /k ping 0 & del
                    4.0.System.exe.c70000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                      Click to see the 21 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\System.exe" , ParentImage: C:\Users\user\AppData\Roaming\System.exe, ParentProcessId: 5628, ProcessCommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, ProcessId: 2976

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Sigma detected: Drops fake system file at system root driveShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\System.exe, ProcessId: 5628, TargetFilename: C:\svchost.exe

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackMalware Configuration Extractor: Njrat {"Host": "System.exe", "Port": "13467", "Mutex": "9156ea52d892a71a5c604fdd4141de82", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "im523", "Network Seprator": "|'|'|"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeVirustotal: Detection: 77%Perma Link
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMetadefender: Detection: 85%Perma Link
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeReversingLabs: Detection: 95%
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeAvira: detected
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: 0.tcp.ngrok.ioVirustotal: Detection: 13%Perma Link
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\svchost.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeReversingLabs: Detection: 95%
                      Source: C:\Users\user\AppData\Roaming\System.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\Users\user\AppData\Roaming\System.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\Users\user\AppData\Roaming\System.exeReversingLabs: Detection: 95%
                      Source: C:\svchost.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\svchost.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\svchost.exeReversingLabs: Detection: 95%
                      Machine Learning detection for sampleShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJoe Sandbox ML: detected
                      Source: C:\svchost.exeJoe Sandbox ML: detected
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 9.0.System.exe.f50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.2.System.exe.c70000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.2.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.3.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 12.0.System.exe.510000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.1.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 11.0.System.exe.50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 12.2.System.exe.510000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 11.2.System.exe.50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 9.2.System.exe.f50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Spreading:

                      barindex
                      Creates autorun.inf (USB autostart)Show sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\autorun.infJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmpBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: [autorun]
                      Source: System.exe.0.drBinary or memory string: autorun.inf
                      Source: System.exe.0.drBinary or memory string: [autorun]
                      Source: autorun.inf.4.drBinary or memory string: [autorun]
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.drBinary or memory string: autorun.inf
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.drBinary or memory string: [autorun]
                      Source: svchost.exe.4.drBinary or memory string: autorun.inf
                      Source: svchost.exe.4.drBinary or memory string: [autorun]

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49753 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49754 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49755 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49758 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49759 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49760 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49761 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49762 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49763 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49765 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49767 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49770 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49771 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49773 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49778 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49799 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49803 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49813 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49816 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49818 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49819 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49820 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49821 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49822 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49823 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49825 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49826 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49840 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49851 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49852 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49857 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49858 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49859 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49860 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49861 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49862 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49864 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49865 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49866 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49867 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49868 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49869 -> 3.22.30.40:13467
                      Connects to many ports of the same IP (likely port scanning)Show sources
                      Source: global trafficTCP traffic: 3.134.125.175 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.17.7.232 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.22.30.40 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.14.182.203 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.13.191.225 ports 1,3,4,6,7,13467
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: System.exe
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewIP Address: 3.134.125.175 3.134.125.175
                      Source: Joe Sandbox ViewIP Address: 3.17.7.232 3.17.7.232
                      Source: global trafficTCP traffic: 192.168.2.3:49753 -> 3.17.7.232:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 3.14.182.203:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49760 -> 3.13.191.225:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49765 -> 3.22.30.40:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 3.134.125.175:13467
                      Source: System.exe, System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, System.exe.0.dr, 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, svchost.exe.4.drString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
                      Source: unknownDNS traffic detected: queries for: 0.tcp.ngrok.io

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs.Net Code: VKCodeToUnicode
                      Source: System.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: svchost.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.2.System.exe.c70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.2.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.3.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.1.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9.0.System.exe.f50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9.2.System.exe.f50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 11.0.System.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 11.2.System.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 12.0.System.exe.510000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 12.2.System.exe.510000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Operating System Destruction:

                      barindex
                      Protects its processes via BreakOnTermination flagShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: 01 00 00 00

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\svchost.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\svchost.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeCode function: 0_2_00846B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_00C76B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 9_2_00F56B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 11_2_00056B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 12_2_00516B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E026A NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E0032 NtSetInformationProcess,
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E022F NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E0007 NtSetInformationProcess,
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeVirustotal: Detection: 77%
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMetadefender: Detection: 85%
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeReversingLabs: Detection: 95%
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile read: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe "C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe"
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe"
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe"
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile created: C:\Users\user\AppData\Roaming\System.exeJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@42/6
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\System.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: System.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: svchost.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.System.exe.c70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.2.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.3.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.1.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.System.exe.f50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.2.System.exe.f50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.0.System.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.2.System.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.System.exe.510000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.2.System.exe.510000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 9_2_016126B0 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 11_2_009226B0 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 12_2_00E126B0 push edi; ret

                      Persistence and Installation Behavior:

                      barindex
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile created: C:\Users\user\AppData\Roaming\System.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\svchost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to dropped file
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe TID: 7004Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 4192Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 5528Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 404Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeWindow / User API: threadDelayed 4306
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477
                      Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                      Source: netsh.exe, 00000006.00000002.342892015.0000000000CC8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      .NET source code references suspicious native API functionsShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: System.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: System.exe.0.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: svchost.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: svchost.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.2.System.exe.c70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.2.System.exe.c70000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.2.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.2.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.3.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.3.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.1.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.1.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9.0.System.exe.f50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9.0.System.exe.f50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9.2.System.exe.f50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9.2.System.exe.f50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 11.0.System.exe.50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 11.0.System.exe.50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 11.2.System.exe.50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 11.2.System.exe.50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 12.0.System.exe.510000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 12.0.System.exe.510000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 12.2.System.exe.510000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 12.2.System.exe.510000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe"
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmpBinary or memory string: program managerH
                      Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmpBinary or memory string: RhProgram Manager
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Managerraq(
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Manager<
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Remote Access Functionality:

                      barindex
                      Detected njRatShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs.Net Code: njRat config detected
                      Source: System.exe.0.dr, OK.cs.Net Code: njRat config detected
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs.Net Code: njRat config detected
                      Source: svchost.exe.4.dr, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.2.System.exe.c70000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.2.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.3.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.1.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9.0.System.exe.f50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9.2.System.exe.f50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 11.0.System.exe.50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 11.2.System.exe.50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 12.0.System.exe.510000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 12.2.System.exe.510000.0.unpack, OK.cs.Net Code: njRat config detected
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Replication Through Removable Media11Native API1Registry Run Keys / Startup Folder221Process Injection12Masquerading11Input Capture11Security Software Discovery11Replication Through Removable Media11Input Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder221Disable or Modify Tools21LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsPeripheral Device Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553248 Sample: 72CA3E2F8479A075C8E089F543F... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 41 0.tcp.ngrok.io 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 15 other signatures 2->55 9 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe 1 6 2->9         started        12 System.exe 3 2->12         started        14 System.exe 2 2->14         started        16 System.exe 2 2->16         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\System.exe, PE32 9->35 dropped 37 C:\Users\user\...\System.exe:Zone.Identifier, ASCII 9->37 dropped 39 72CA3E2F8479A075C8...F868D66D327.exe.log, ASCII 9->39 dropped 18 System.exe 2 11 9->18         started        process6 dnsIp7 43 3.13.191.225, 13467, 49760, 49859 AMAZON-02US United States 18->43 45 3.134.125.175, 13467, 49818, 49823 AMAZON-02US United States 18->45 47 4 other IPs or domains 18->47 27 C:\svchost.exe, PE32 18->27 dropped 29 C:\...\9156ea52d892a71a5c604fdd4141de82.exe, PE32 18->29 dropped 31 C:\svchost.exe:Zone.Identifier, ASCII 18->31 dropped 33 2 other malicious files 18->33 dropped 57 Antivirus detection for dropped file 18->57 59 Multi AV Scanner detection for dropped file 18->59 61 Protects its processes via BreakOnTermination flag 18->61 63 7 other signatures 18->63 23 netsh.exe 1 3 18->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe77%VirustotalBrowse
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe86%MetadefenderBrowse
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe100%AviraTR/ATRAPS.Gen
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\System.exe100%AviraTR/ATRAPS.Gen
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe100%AviraTR/ATRAPS.Gen
                      C:\svchost.exe100%AviraTR/ATRAPS.Gen
                      C:\Users\user\AppData\Roaming\System.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe100%Joe Sandbox ML
                      C:\svchost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe86%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      C:\Users\user\AppData\Roaming\System.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\System.exe86%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\System.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      C:\svchost.exe77%VirustotalBrowse
                      C:\svchost.exe86%MetadefenderBrowse
                      C:\svchost.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      9.0.System.exe.f50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.2.System.exe.c70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                      12.0.System.exe.510000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                      11.0.System.exe.50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      12.2.System.exe.510000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      11.2.System.exe.50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      9.2.System.exe.f50000.0.unpack100%AviraTR/ATRAPS.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      0.tcp.ngrok.io14%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      System.exe0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      0.tcp.ngrok.io
                      		3.17.7.232
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      System.exetrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0System.exe, System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, System.exe.0.dr, 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, svchost.exe.4.drfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        3.134.125.175
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.17.7.232
                        		0.tcp.ngrok.ioUnited States
                        		16509AMAZON-02UStrue
                        3.22.30.40
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.14.182.203
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.13.191.225
                        		unknownUnited States
                        		16509AMAZON-02UStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553248
                        Start date:14.01.2022
                        Start time:14:54:23
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 52s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:27
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@42/6
                        EGA Information:
                        • Successful, ratio: 80%
                        HDC Information:
                        • Successful, ratio: 11.8% (good quality ratio 7.7%)
                        • Quality average: 46.8%
                        • Quality standard deviation: 38.4%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • TCP Packets have been reduced to 100
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Execution Graph export aborted for target 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, PID 6756 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:55:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:55:51AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:55:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:56:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.log
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):525
                        Entropy (8bit):5.2874233355119316
                        Encrypted:false
                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                        MD5:80EFBEC081D7836D240503C4C9465FEC
                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\System.exe.log
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):525
                        Entropy (8bit):5.2874233355119316
                        Encrypted:false
                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                        MD5:80EFBEC081D7836D240503C4C9465FEC
                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Reputation:low
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe:Zone.Identifier
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\Users\user\AppData\Roaming\System.exe
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Reputation:low
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\Users\user\AppData\Roaming\System.exe:Zone.Identifier
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\autorun.inf
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):50
                        Entropy (8bit):4.320240000427043
                        Encrypted:false
                        SSDEEP:3:It1KV2LKMACovK0x:e1KzxvD
                        MD5:5B0B50BADE67C5EC92D42E971287A5D9
                        SHA1:90D5C99143E7A56AD6E5EE401015F8ECC093D95A
                        SHA-256:04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
                        SHA-512:C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
                        Malicious:true
                        Preview: [autorun]..open=C:\svchost.exe..shellexecute=C:\..
                        C:\svchost.exe
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\svchost.exe:Zone.Identifier
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview: [ZoneTransfer]....ZoneId=0
                        \Device\ConDrv
                        Process:C:\Windows\SysWOW64\netsh.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):313
                        Entropy (8bit):4.971939296804078
                        Encrypted:false
                        SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                        MD5:689E2126A85BF55121488295EE068FA1
                        SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                        SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                        SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                        Malicious:false
                        Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.575659694964963
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File size:37888
                        MD5:70aca878bfaac1eaf7019eddd97fc877
                        SHA1:4997c055b582c71cbb3863c9523986b51a339797
                        SHA256:72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
                        SHA512:17bedcd516ba8f18b5e4d8a2a8c9d1b6e95be2158d654b3b15fe2d379cdce682c609801e1b5c01487fa732ef1591d7cde1460448ffd4ffe8a50f6c3c82cb36c2
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x40abbe
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x60AB6F12 [Mon May 24 09:17:06 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v2.0.50727
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab700x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x240.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x8bc40x8c00False0.463895089286data5.60730804361IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0xc0000x2400x400False0.3134765625data4.96877165952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_MANIFEST0xc0580x1e7XML 1.0 document, ASCII text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-14:55:46.343993TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975313467192.168.2.33.17.7.232
                        01/14/22-14:55:48.595556UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                        01/14/22-14:55:48.762801TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975413467192.168.2.33.17.7.232
                        01/14/22-14:55:51.454912TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975513467192.168.2.33.17.7.232
                        01/14/22-14:55:54.224128TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975813467192.168.2.33.17.7.232
                        01/14/22-14:55:57.123895TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975913467192.168.2.33.14.182.203
                        01/14/22-14:56:00.006211TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976013467192.168.2.33.13.191.225
                        01/14/22-14:56:03.177148TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976113467192.168.2.33.14.182.203
                        01/14/22-14:56:05.935422UDP254DNS SPOOF query response with TTL of 1 min. and no authority53551028.8.8.8192.168.2.3
                        01/14/22-14:56:06.098596TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976213467192.168.2.33.14.182.203
                        01/14/22-14:56:08.812231UDP254DNS SPOOF query response with TTL of 1 min. and no authority53562368.8.8.8192.168.2.3
                        01/14/22-14:56:08.974929TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976313467192.168.2.33.14.182.203
                        01/14/22-14:56:11.736334UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495598.8.8.8192.168.2.3
                        01/14/22-14:56:11.904970TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976513467192.168.2.33.22.30.40
                        01/14/22-14:56:14.639656TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976713467192.168.2.33.14.182.203
                        01/14/22-14:56:17.749487TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977013467192.168.2.33.14.182.203
                        01/14/22-14:56:20.375566TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977113467192.168.2.33.17.7.232
                        01/14/22-14:56:23.288901TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977313467192.168.2.33.22.30.40
                        01/14/22-14:56:26.086507TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977813467192.168.2.33.17.7.232
                        01/14/22-14:56:28.732206TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4979913467192.168.2.33.17.7.232
                        01/14/22-14:56:31.478555TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4980313467192.168.2.33.22.30.40
                        01/14/22-14:56:34.195822TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981313467192.168.2.33.14.182.203
                        01/14/22-14:56:36.993737TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981613467192.168.2.33.14.182.203
                        01/14/22-14:56:39.740921TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981813467192.168.2.33.134.125.175
                        01/14/22-14:56:42.427424TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981913467192.168.2.33.17.7.232
                        01/14/22-14:56:45.091298TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982013467192.168.2.33.17.7.232
                        01/14/22-14:56:47.745365TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982113467192.168.2.33.22.30.40
                        01/14/22-14:56:50.337717UDP254DNS SPOOF query response with TTL of 1 min. and no authority53508248.8.8.8192.168.2.3
                        01/14/22-14:56:50.506419TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982213467192.168.2.33.14.182.203
                        01/14/22-14:56:53.280011TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982313467192.168.2.33.134.125.175
                        01/14/22-14:56:55.918054UDP254DNS SPOOF query response with TTL of 1 min. and no authority53628558.8.8.8192.168.2.3
                        01/14/22-14:56:56.085319TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982513467192.168.2.33.14.182.203
                        01/14/22-14:56:58.776496TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982613467192.168.2.33.22.30.40
                        01/14/22-14:57:01.289281UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492908.8.8.8192.168.2.3
                        01/14/22-14:57:01.456784TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4984013467192.168.2.33.22.30.40
                        01/14/22-14:57:04.185000TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985113467192.168.2.33.14.182.203
                        01/14/22-14:57:06.846067TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985213467192.168.2.33.134.125.175
                        01/14/22-14:57:09.672363TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985713467192.168.2.33.22.30.40
                        01/14/22-14:57:12.379810TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985813467192.168.2.33.134.125.175
                        01/14/22-14:57:15.052356TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985913467192.168.2.33.13.191.225
                        01/14/22-14:57:17.712854TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986013467192.168.2.33.13.191.225
                        01/14/22-14:57:20.383404TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986113467192.168.2.33.134.125.175
                        01/14/22-14:57:23.134241TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986213467192.168.2.33.14.182.203
                        01/14/22-14:57:25.811740TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986413467192.168.2.33.134.125.175
                        01/14/22-14:57:28.851831TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986513467192.168.2.33.22.30.40
                        01/14/22-14:57:31.155906TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986613467192.168.2.33.22.30.40
                        01/14/22-14:57:33.794104TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986713467192.168.2.33.13.191.225
                        01/14/22-14:57:36.531249TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986813467192.168.2.33.13.191.225
                        01/14/22-14:57:39.326499TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986913467192.168.2.33.22.30.40

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 14:55:45.856554985 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.004971981 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.005089045 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.343992949 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.492089033 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.493834972 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.541907072 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.585673094 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.641864061 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.951797962 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.952209949 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.952291965 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.557099104 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.598484039 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.746646881 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:48.746752977 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.762800932 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.911252975 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:48.911369085 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:49.060733080 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.239238024 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.289077044 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:49.341176033 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.342351913 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.342453957 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.242801905 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.271502018 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.420833111 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.422240973 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.454911947 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.602993965 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.603136063 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.751168966 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.759263039 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.907783031 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.019689083 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.052608967 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.052696943 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:52.053304911 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.053371906 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.024209023 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.060008049 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.208894014 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.210483074 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.224128008 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.373317003 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.373409033 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.521255970 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.910993099 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.911032915 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.911148071 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:56.915455103 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:56.951477051 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.101223946 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.101358891 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.123894930 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.273524046 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.273648024 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.424532890 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.618554115 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.664696932 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.731481075 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.732249975 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.732328892 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:59.634694099 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:59.833179951 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:55:59.981893063 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:55:59.982150078 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.006211042 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.154989958 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.155174971 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.305074930 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.503254890 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.555558920 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.617573977 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.617634058 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.617763042 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:02.915493011 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:03.007220984 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.155801058 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.155880928 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.177148104 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.326867104 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.326941967 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.475833893 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884612083 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884649038 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884733915 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:05.900490046 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:05.936701059 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.086052895 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.086170912 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.098596096 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.247594118 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.247698069 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.397921085 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767045021 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767075062 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767631054 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:08.775754929 CET4976213467192.168.2.33.14.182.203

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 14:55:45.826014996 CET6402153192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:45.845385075 CET53640218.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:48.573869944 CET6078453192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:48.595556021 CET53607848.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:51.250332117 CET5114353192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:51.267457962 CET53511438.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:54.034359932 CET5902653192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:54.053494930 CET53590268.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:56.930083036 CET4957253192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:56.949445963 CET53495728.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:59.640835047 CET6082353192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:59.660417080 CET53608238.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:02.986785889 CET5213053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:03.006030083 CET53521308.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:05.912566900 CET5510253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:05.935421944 CET53551028.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:08.785914898 CET5623653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:08.812231064 CET53562368.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:11.714885950 CET4955953192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:11.736334085 CET53495598.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:14.454736948 CET6329753192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:14.474361897 CET53632978.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:17.219274998 CET5836153192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:17.238837957 CET53583618.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:20.142657042 CET5361553192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:20.162110090 CET53536158.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:23.108827114 CET5377753192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:23.126688004 CET53537778.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:25.848159075 CET6098253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:25.867337942 CET53609828.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:28.549057961 CET6345653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:28.568577051 CET53634568.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:31.243753910 CET5510853192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:31.262999058 CET53551088.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:33.952836037 CET5894253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:33.969996929 CET53589428.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:36.805179119 CET6443253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:36.825191021 CET53644328.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:39.552303076 CET6349053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:39.572302103 CET53634908.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:42.237478018 CET6511053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:42.254549980 CET53651108.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:44.912789106 CET6112053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:44.930639029 CET53611208.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:47.566504002 CET5307953192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:47.586004019 CET53530798.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:50.310465097 CET5082453192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:50.337717056 CET53508248.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:53.083189011 CET5670653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:53.101566076 CET53567068.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:55.895234108 CET6285553192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:55.918054104 CET53628558.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:58.591355085 CET5104653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:58.608932018 CET53510468.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:01.259596109 CET4929053192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:01.289280891 CET53492908.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:03.945168972 CET5975453192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:03.965209007 CET53597548.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:06.660762072 CET4923453192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:06.680274010 CET53492348.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:09.400335073 CET5744753192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:09.419737101 CET53574478.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:12.201404095 CET6358353192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:12.220947981 CET53635838.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:14.870506048 CET6409953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:14.890022993 CET53640998.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:17.534580946 CET6461053192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:17.553966999 CET53646108.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:20.180349112 CET5198953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:20.201327085 CET53519898.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:22.931205988 CET5315253192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:22.950678110 CET53531528.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:25.630670071 CET5607753192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:25.649379969 CET53560778.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:28.312005997 CET5795153192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:28.331880093 CET53579518.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:30.979021072 CET5327653192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:30.998452902 CET53532768.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:33.620198011 CET6013553192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:33.639610052 CET53601358.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:36.354939938 CET4984953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:36.375444889 CET53498498.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:39.139276981 CET6025353192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:39.159666061 CET53602538.8.8.8192.168.2.3

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jan 14, 2022 14:55:45.826014996 CET192.168.2.38.8.8.80x354dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:48.573869944 CET192.168.2.38.8.8.80x7217Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:51.250332117 CET192.168.2.38.8.8.80x1e2Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:54.034359932 CET192.168.2.38.8.8.80x5d28Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:56.930083036 CET192.168.2.38.8.8.80xc746Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:59.640835047 CET192.168.2.38.8.8.80x47a0Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:02.986785889 CET192.168.2.38.8.8.80x53eeStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:05.912566900 CET192.168.2.38.8.8.80x1b23Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:08.785914898 CET192.168.2.38.8.8.80x7451Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:11.714885950 CET192.168.2.38.8.8.80xa4ddStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:14.454736948 CET192.168.2.38.8.8.80xb74Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:17.219274998 CET192.168.2.38.8.8.80xd3eStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:20.142657042 CET192.168.2.38.8.8.80x4e7aStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:23.108827114 CET192.168.2.38.8.8.80x900eStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:25.848159075 CET192.168.2.38.8.8.80xa643Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:28.549057961 CET192.168.2.38.8.8.80x1087Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:31.243753910 CET192.168.2.38.8.8.80x990cStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:33.952836037 CET192.168.2.38.8.8.80x8d4Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:36.805179119 CET192.168.2.38.8.8.80xf5bStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:39.552303076 CET192.168.2.38.8.8.80x135dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:42.237478018 CET192.168.2.38.8.8.80x8ce5Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:44.912789106 CET192.168.2.38.8.8.80x1565Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:47.566504002 CET192.168.2.38.8.8.80xfe29Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:50.310465097 CET192.168.2.38.8.8.80xecfStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:53.083189011 CET192.168.2.38.8.8.80xa4ddStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:55.895234108 CET192.168.2.38.8.8.80x6f54Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:58.591355085 CET192.168.2.38.8.8.80x3abeStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:01.259596109 CET192.168.2.38.8.8.80xa299Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:03.945168972 CET192.168.2.38.8.8.80x5d9fStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:06.660762072 CET192.168.2.38.8.8.80x7ff4Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:09.400335073 CET192.168.2.38.8.8.80x296dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:12.201404095 CET192.168.2.38.8.8.80xcb98Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:14.870506048 CET192.168.2.38.8.8.80x7190Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:17.534580946 CET192.168.2.38.8.8.80x2b1bStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:20.180349112 CET192.168.2.38.8.8.80x732dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:22.931205988 CET192.168.2.38.8.8.80xff31Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:25.630670071 CET192.168.2.38.8.8.80x3ef9Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:28.312005997 CET192.168.2.38.8.8.80x5e29Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:30.979021072 CET192.168.2.38.8.8.80xf575Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:33.620198011 CET192.168.2.38.8.8.80xec81Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:36.354939938 CET192.168.2.38.8.8.80x2c4cStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:39.139276981 CET192.168.2.38.8.8.80x4984Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jan 14, 2022 14:55:45.845385075 CET8.8.8.8192.168.2.30x354dNo error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:48.595556021 CET8.8.8.8192.168.2.30x7217No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:51.267457962 CET8.8.8.8192.168.2.30x1e2No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:54.053494930 CET8.8.8.8192.168.2.30x5d28No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:56.949445963 CET8.8.8.8192.168.2.30xc746No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:59.660417080 CET8.8.8.8192.168.2.30x47a0No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:03.006030083 CET8.8.8.8192.168.2.30x53eeNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:05.935421944 CET8.8.8.8192.168.2.30x1b23No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:08.812231064 CET8.8.8.8192.168.2.30x7451No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:11.736334085 CET8.8.8.8192.168.2.30xa4ddNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:14.474361897 CET8.8.8.8192.168.2.30xb74No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:17.238837957 CET8.8.8.8192.168.2.30xd3eNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:20.162110090 CET8.8.8.8192.168.2.30x4e7aNo error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:23.126688004 CET8.8.8.8192.168.2.30x900eNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:25.867337942 CET8.8.8.8192.168.2.30xa643No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:28.568577051 CET8.8.8.8192.168.2.30x1087No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:31.262999058 CET8.8.8.8192.168.2.30x990cNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:33.969996929 CET8.8.8.8192.168.2.30x8d4No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:36.825191021 CET8.8.8.8192.168.2.30xf5bNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:39.572302103 CET8.8.8.8192.168.2.30x135dNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:42.254549980 CET8.8.8.8192.168.2.30x8ce5No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:44.930639029 CET8.8.8.8192.168.2.30x1565No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:47.586004019 CET8.8.8.8192.168.2.30xfe29No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:50.337717056 CET8.8.8.8192.168.2.30xecfNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:53.101566076 CET8.8.8.8192.168.2.30xa4ddNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:55.918054104 CET8.8.8.8192.168.2.30x6f54No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:58.608932018 CET8.8.8.8192.168.2.30x3abeNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:01.289280891 CET8.8.8.8192.168.2.30xa299No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:03.965209007 CET8.8.8.8192.168.2.30x5d9fNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:06.680274010 CET8.8.8.8192.168.2.30x7ff4No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:09.419737101 CET8.8.8.8192.168.2.30x296dNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:12.220947981 CET8.8.8.8192.168.2.30xcb98No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:14.890022993 CET8.8.8.8192.168.2.30x7190No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:17.553966999 CET8.8.8.8192.168.2.30x2b1bNo error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:20.201327085 CET8.8.8.8192.168.2.30x732dNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:22.950678110 CET8.8.8.8192.168.2.30xff31No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:25.649379969 CET8.8.8.8192.168.2.30x3ef9No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:28.331880093 CET8.8.8.8192.168.2.30x5e29No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:30.998452902 CET8.8.8.8192.168.2.30xf575No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:33.639610052 CET8.8.8.8192.168.2.30xec81No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:36.375444889 CET8.8.8.8192.168.2.30x2c4cNo error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:39.159666061 CET8.8.8.8192.168.2.30x4984No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756 Parent PID: 2944

                        General

                        Start time:14:55:24
                        Start date:14/01/2022
                        Path:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe"
                        Imagebase:0x840000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Analysis Process: System.exe PID: 5628 Parent PID: 6756

                        General

                        Start time:14:55:32
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe"
                        Imagebase:0xc70000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 77%, Virustotal, Browse
                        • Detection: 86%, Metadefender, Browse
                        • Detection: 95%, ReversingLabs
                        Reputation:low

                        Analysis Process: netsh.exe PID: 2976 Parent PID: 5628

                        General

                        Start time:14:55:40
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\netsh.exe
                        Wow64 process (32bit):true
                        Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                        Imagebase:0xe40000
                        File size:82944 bytes
                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: conhost.exe PID: 1876 Parent PID: 2976

                        General

                        Start time:14:55:41
                        Start date:14/01/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7f20f0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: System.exe PID: 6172 Parent PID: 3352

                        General

                        Start time:14:55:51
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0xf50000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Analysis Process: System.exe PID: 6964 Parent PID: 3352

                        General

                        Start time:14:55:59
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0x50000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Analysis Process: System.exe PID: 5224 Parent PID: 3352

                        General

                        Start time:14:56:07
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0x510000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >