Malware analysis NjRat.7z Malicious activity | ANY.RUN

Add for printing

File name:	NjRat.7z
Full analysis:	https://app.any.run/tasks/2889fcc7-7d84-47bd-87bc-f96012d0e1bb
Verdict:	Malicious activity
Threats:	njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 27, 2023, 22:42:32
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat njrat bladabindi
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	00E82CE512171EF4A37E89966650A5A0
SHA1:	81532A0CBD007A03F9AB34DA96800B90C8390046
SHA256:	1113C9DD2B16BCFA286F9E477A2FC904F2EC76DDC8BC3D25E5D124AA7B4F1CBF
SSDEEP:	98304:pxODrDuidmvd/oJPTXbMCSw1EcnZjhJCNTSslACGu7TW4Y2C1il4z5RL05TfSOv7:KOl48Nyp09

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - yolo.exe (PID: 4088)
  - man.exe (PID: 3252)
  - STOP.exe (PID: 3360)
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - swagg.exe.exe (PID: 3656)
  - wsmlol.exe (PID: 2088)
  - naga.exe (PID: 3248)
  - pepe.exe (PID: 1560)
  - n.exe (PID: 2108)
  - Trojan.exe (PID: 2312)
  - pa.exe (PID: 2960)
  - prg.exe (PID: 3788)
  - ford.exe (PID: 292)
  - lola.exe (PID: 1624)
  - la.g.exe (PID: 3160)
  - pol.exe (PID: 2856)
  - scvhost.exe (PID: 3052)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - RealUpgrade.exe (PID: 2932)
  - java.exe (PID: 1696)
  - click.exe (PID: 1232)
  - qwe.exe (PID: 1884)
  - x.exe (PID: 2952)
  - PSLIP~1.EXE (PID: 2380)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - a.exe (PID: 3112)
  - spoolsv.exe (PID: 3220)
  - mohd.exe (PID: 3712)
  - saps.exe (PID: 1608)
  - asdaasd.exe (PID: 1612)
  - Win7.exe (PID: 3988)
  - onedrive.exe (PID: 900)
- Create files in the Startup directory
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - wsmlol.exe (PID: 2088)
  - Trojan.exe (PID: 2312)
  - scvhost.exe (PID: 3052)
  - java.exe (PID: 1696)
  - RealUpgrade.exe (PID: 2932)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - file.exe (PID: 2788)
  - system.exe (PID: 3796)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - Win7.exe (PID: 3988)
- NjRAT is detected
  - mann.exe (PID: 3240)
  - Trojan.exe (PID: 3400)
  - trojen.exe (PID: 3500)
  - clck.exe (PID: 2804)
  - pa.exe (PID: 2960)
  - icoe.e.exe (PID: 3524)
  - asfjakf.exe (PID: 580)
  - wsmlol.exe (PID: 2088)
  - vpn.exe (PID: 1072)
  - qwe.exe (PID: 1884)
  - Хост-процесс для служб Windows.exe (PID: 3356)
  - Trojan.exe (PID: 2312)
  - scvhost.exe (PID: 3052)
  - java.exe (PID: 1696)
  - RealUpgrade.exe (PID: 2932)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - onedrive.exe (PID: 900)
  - Win7.exe (PID: 3988)
  - Dllhost.exe (PID: 3252)
- Changes the autorun value in the registry
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - wsmlol.exe (PID: 2088)
  - Trojan.exe (PID: 2312)
  - java.exe (PID: 1696)
  - scvhost.exe (PID: 3052)
  - RealUpgrade.exe (PID: 2932)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - spoolsv.exe (PID: 3220)
  - mohd.exe (PID: 3712)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - Win7.exe (PID: 3988)
- UAC/LUA settings modification
  - b.exe (PID: 2996)
- NJRAT has been detected (YARA)
  - swagg.exe (PID: 4000)
- Uses Task Scheduler to run other applications
  - onedrive.exe (PID: 900)
  - Dllhost.exe (PID: 3252)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 3056)
- Reads the Internet Settings
  - man.exe (PID: 3252)
  - yolo.exe (PID: 4088)
  - STOP.exe (PID: 3360)
  - Facebook.exe (PID: 3884)
  - aswag.exe (PID: 2064)
  - swagg.exe.exe (PID: 3656)
  - onedrive.exe (PID: 900)
  - Dllhost.exe (PID: 3252)
- Starts itself from another location
  - yolo.exe (PID: 4088)
  - man.exe (PID: 3252)
  - swagg.exe.exe (PID: 3656)
  - pepe.exe (PID: 1560)
  - pa.exe (PID: 2960)
  - ford.exe (PID: 292)
  - pol.exe (PID: 2856)
  - lola.exe (PID: 1624)
  - la.g.exe (PID: 3160)
  - prg.exe (PID: 3788)
  - x.exe (PID: 2952)
  - PSLIP~1.EXE (PID: 2380)
  - a.exe (PID: 3112)
  - saps.exe (PID: 1608)
  - asdaasd.exe (PID: 1612)
  - onedrive.exe (PID: 900)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - swagg.exe (PID: 4000)
  - wsmlol.exe (PID: 2088)
  - Trojan.exe (PID: 2312)
  - java.exe (PID: 1696)
  - RealUpgrade.exe (PID: 2932)
  - scvhost.exe (PID: 3052)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - Win7.exe (PID: 3988)
- Reads Microsoft Outlook installation path
  - Facebook.exe (PID: 3884)
- Connects to unusual port
  - mann.exe (PID: 3240)
  - swagg.exe (PID: 4000)
  - java.exe (PID: 1696)
  - clck.exe (PID: 2804)
  - msnco.exe (PID: 2248)
  - system.exe (PID: 3796)
- Reads Internet Explorer settings
  - Facebook.exe (PID: 3884)
- Detected use of alternative data streams (AltDS)
  - prg.exe (PID: 3788)
  - ja33kk.exe (PID: 3960)
- The process creates files with name similar to system file names
  - lola.exe (PID: 1624)
  - x.exe (PID: 2952)
  - scvhost.exe (PID: 3052)
  - system.exe (PID: 3796)
  - onedrive.exe (PID: 900)
- Uses RUNDLL32.EXE to load library
  - qwe.exe (PID: 1884)
INFO
- Manual execution by a user
  - WinRAR.exe (PID: 3056)
  - yolo.exe (PID: 4088)
  - GO.exe (PID: 3212)
  - STOP.exe (PID: 880)
  - man.exe (PID: 3252)
  - STOP.exe (PID: 3360)
  - onedrive.exe (PID: 900)
  - mann.exe (PID: 3240)
  - aswag.exe (PID: 2064)
  - swagg.exe (PID: 4000)
  - swagg.exe.exe (PID: 3656)
  - wmpnscfg.exe (PID: 1416)
  - zgm.exe (PID: 2624)
  - clck.exe (PID: 2804)
  - prg.exe (PID: 3788)
  - click.exe (PID: 1232)
  - pa.exe (PID: 2960)
  - ptptpt.exe (PID: 3844)
  - icoe.e.exe (PID: 3524)
  - vpn.exe (PID: 1072)
  - pol.exe (PID: 2856)
  - lola.exe (PID: 1624)
  - ford.exe (PID: 292)
  - asfjakf.exe (PID: 580)
  - la.g.exe (PID: 3160)
  - ntvdm.exe (PID: 3924)
  - a.exe (PID: 3112)
  - b.exe (PID: 2996)
  - c.exe (PID: 1844)
  - x.exe (PID: 2952)
  - naga.exe (PID: 3248)
  - lepe.exe (PID: 3768)
  - pepe.exe (PID: 1560)
  - asdaasd.exe (PID: 1612)
  - n.exe (PID: 2108)
  - qwe.exe (PID: 1884)
  - spaga.exe (PID: 3476)
  - saps.exe (PID: 1608)
- Checks supported languages
  - yolo.exe (PID: 4088)
  - GO.exe (PID: 3212)
  - dw20.exe (PID: 3712)
  - man.exe (PID: 3252)
  - STOP.exe (PID: 3360)
  - onedrive.exe (PID: 900)
  - mann.exe (PID: 3240)
  - aswag.exe (PID: 2064)
  - swagg.exe (PID: 4000)
  - Trojan.exe (PID: 3400)
  - trojen.exe (PID: 3500)
  - swagg.exe.exe (PID: 3656)
  - Facebook.exe (PID: 3884)
  - wsmlol.exe (PID: 2088)
  - wmpnscfg.exe (PID: 1416)
  - prg.exe (PID: 3788)
  - zgm.exe (PID: 2624)
  - clck.exe (PID: 2804)
  - click.exe (PID: 1232)
  - ptptpt.exe (PID: 3844)
  - lola.exe (PID: 1624)
  - pa.exe (PID: 2960)
  - icoe.e.exe (PID: 3524)
  - pol.exe (PID: 2856)
  - asfjakf.exe (PID: 580)
  - vpn.exe (PID: 1072)
  - ford.exe (PID: 292)
  - la.g.exe (PID: 3160)
  - c.exe (PID: 1844)
  - a.exe (PID: 3112)
  - x.exe (PID: 2952)
  - b.exe (PID: 2996)
  - naga.exe (PID: 3248)
  - asdaasd.exe (PID: 1612)
  - pepe.exe (PID: 1560)
  - PSLIP~1.EXE (PID: 2380)
  - lepe.exe (PID: 3768)
  - n.exe (PID: 2108)
  - qwe.exe (PID: 1884)
  - Trojan.exe (PID: 2312)
  - 2.exe (PID: 3468)
  - Хост-процесс для служб Windows.exe (PID: 3356)
  - 1.exe (PID: 3628)
  - ja33kk.exe (PID: 3960)
  - java.exe (PID: 1696)
  - RealUpgrade.exe (PID: 2932)
  - scvhost.exe (PID: 3052)
  - msnco.exe (PID: 2248)
  - spaga.exe (PID: 3476)
  - saps.exe (PID: 1608)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - PSLIP~1.EXE (PID: 3288)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - Win7.exe (PID: 3988)
  - Dllhost.exe (PID: 3252)
- Reads the computer name
  - dw20.exe (PID: 3712)
  - mann.exe (PID: 3240)
  - onedrive.exe (PID: 900)
  - man.exe (PID: 3252)
  - yolo.exe (PID: 4088)
  - STOP.exe (PID: 3360)
  - swagg.exe.exe (PID: 3656)
  - aswag.exe (PID: 2064)
  - Facebook.exe (PID: 3884)
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - wsmlol.exe (PID: 2088)
  - wmpnscfg.exe (PID: 1416)
  - swagg.exe (PID: 4000)
  - zgm.exe (PID: 2624)
  - pol.exe (PID: 2856)
  - pa.exe (PID: 2960)
  - ptptpt.exe (PID: 3844)
  - vpn.exe (PID: 1072)
  - prg.exe (PID: 3788)
  - asfjakf.exe (PID: 580)
  - ford.exe (PID: 292)
  - icoe.e.exe (PID: 3524)
  - b.exe (PID: 2996)
  - c.exe (PID: 1844)
  - a.exe (PID: 3112)
  - pepe.exe (PID: 1560)
  - PSLIP~1.EXE (PID: 2380)
  - n.exe (PID: 2108)
  - Хост-процесс для служб Windows.exe (PID: 3356)
  - Trojan.exe (PID: 2312)
  - lola.exe (PID: 1624)
  - la.g.exe (PID: 3160)
  - java.exe (PID: 1696)
  - clck.exe (PID: 2804)
  - RealUpgrade.exe (PID: 2932)
  - ja33kk.exe (PID: 3960)
  - scvhost.exe (PID: 3052)
  - spaga.exe (PID: 3476)
  - msnco.exe (PID: 2248)
  - click.exe (PID: 1232)
  - qwe.exe (PID: 1884)
  - lepe.exe (PID: 3768)
  - x.exe (PID: 2952)
  - 1.exe (PID: 3628)
  - file.exe (PID: 2788)
  - PSLIP~1.EXE (PID: 3288)
  - 2.exe (PID: 3468)
  - system.exe (PID: 3796)
  - mohd.exe (PID: 3712)
  - saps.exe (PID: 1608)
  - spoolsv.exe (PID: 3220)
  - asdaasd.exe (PID: 1612)
  - Dllhost.exe (PID: 3252)
  - Win7.exe (PID: 3988)
- Create files in a temporary directory
  - STOP.exe (PID: 3360)
  - yolo.exe (PID: 4088)
  - man.exe (PID: 3252)
  - Facebook.exe (PID: 3884)
  - trojen.exe (PID: 3500)
  - Trojan.exe (PID: 3400)
  - swagg.exe.exe (PID: 3656)
  - click.exe (PID: 1232)
  - naga.exe (PID: 3248)
  - c.exe (PID: 1844)
  - ford.exe (PID: 292)
  - n.exe (PID: 2108)
  - lola.exe (PID: 1624)
  - x.exe (PID: 2952)
  - PSLIP~1.EXE (PID: 2380)
  - wsmlol.exe (PID: 2088)
  - a.exe (PID: 3112)
  - scvhost.exe (PID: 3052)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - onedrive.exe (PID: 900)
  - asdaasd.exe (PID: 1612)
  - Win7.exe (PID: 3988)
  - Dllhost.exe (PID: 3252)
- Reads the machine GUID from the registry
  - man.exe (PID: 3252)
  - onedrive.exe (PID: 900)
  - Facebook.exe (PID: 3884)
  - yolo.exe (PID: 4088)
  - trojen.exe (PID: 3500)
  - dw20.exe (PID: 3712)
  - aswag.exe (PID: 2064)
  - Trojan.exe (PID: 3400)
  - mann.exe (PID: 3240)
  - swagg.exe.exe (PID: 3656)
  - wmpnscfg.exe (PID: 1416)
  - swagg.exe (PID: 4000)
  - wsmlol.exe (PID: 2088)
  - zgm.exe (PID: 2624)
  - ptptpt.exe (PID: 3844)
  - prg.exe (PID: 3788)
  - ford.exe (PID: 292)
  - a.exe (PID: 3112)
  - b.exe (PID: 2996)
  - icoe.e.exe (PID: 3524)
  - asfjakf.exe (PID: 580)
  - pepe.exe (PID: 1560)
  - pa.exe (PID: 2960)
  - pol.exe (PID: 2856)
  - lola.exe (PID: 1624)
  - la.g.exe (PID: 3160)
  - clck.exe (PID: 2804)
  - java.exe (PID: 1696)
  - ja33kk.exe (PID: 3960)
  - scvhost.exe (PID: 3052)
  - msnco.exe (PID: 2248)
  - Trojan.exe (PID: 2312)
  - RealUpgrade.exe (PID: 2932)
  - Хост-процесс для служб Windows.exe (PID: 3356)
  - qwe.exe (PID: 1884)
  - lepe.exe (PID: 3768)
  - x.exe (PID: 2952)
  - 2.exe (PID: 3468)
  - 1.exe (PID: 3628)
  - file.exe (PID: 2788)
  - PSLIP~1.EXE (PID: 2380)
  - system.exe (PID: 3796)
  - mohd.exe (PID: 3712)
  - spaga.exe (PID: 3476)
  - saps.exe (PID: 1608)
  - spoolsv.exe (PID: 3220)
  - PSLIP~1.EXE (PID: 3288)
  - asdaasd.exe (PID: 1612)
  - Dllhost.exe (PID: 3252)
  - Win7.exe (PID: 3988)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3056)
  - RdrCEF.exe (PID: 3816)
- Creates files or folders in the user directory
  - trojen.exe (PID: 3500)
  - STOP.exe (PID: 3360)
  - Facebook.exe (PID: 3884)
  - dw20.exe (PID: 3712)
  - Trojan.exe (PID: 3400)
  - wsmlol.exe (PID: 2088)
  - pepe.exe (PID: 1560)
  - a.exe (PID: 3112)
  - Trojan.exe (PID: 2312)
  - pa.exe (PID: 2960)
  - prg.exe (PID: 3788)
  - la.g.exe (PID: 3160)
  - scvhost.exe (PID: 3052)
  - java.exe (PID: 1696)
  - msnco.exe (PID: 2248)
  - ja33kk.exe (PID: 3960)
  - RealUpgrade.exe (PID: 2932)
  - qwe.exe (PID: 1884)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - spaga.exe (PID: 3476)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - saps.exe (PID: 1608)
  - Win7.exe (PID: 3988)
  - onedrive.exe (PID: 900)
- Creates files in the program directory
  - STOP.exe (PID: 3360)
  - prg.exe (PID: 3788)
  - a.exe (PID: 3112)
  - mohd.exe (PID: 3712)
- Checks proxy server information
  - Facebook.exe (PID: 3884)
- Reads Environment values
  - trojen.exe (PID: 3500)
  - aswag.exe (PID: 2064)
  - Trojan.exe (PID: 3400)
  - wsmlol.exe (PID: 2088)
  - swagg.exe (PID: 4000)
  - clck.exe (PID: 2804)
  - scvhost.exe (PID: 3052)
  - java.exe (PID: 1696)
  - RealUpgrade.exe (PID: 2932)
  - ja33kk.exe (PID: 3960)
  - msnco.exe (PID: 2248)
  - Trojan.exe (PID: 2312)
  - system.exe (PID: 3796)
  - file.exe (PID: 2788)
  - mohd.exe (PID: 3712)
  - spoolsv.exe (PID: 3220)
  - Win7.exe (PID: 3988)
- Reads mouse settings
  - c.exe (PID: 1844)
- Process checks are UAC notifies on
  - b.exe (PID: 2996)
- Application launched itself
  - AcroRd32.exe (PID: 1212)
  - RdrCEF.exe (PID: 3816)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(4000) swagg.exe

C2musicnote.soundcast.me

Ports95

BotnetTaskMMA

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\db0e5b24d38dbc2eff0e1a06df9e59b7

Splitter|'|'|

Version0.7d

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2023:06:29 08:44:12
ZipCRC:	0xfec7a6ae
ZipCompressedSize:	9297
ZipUncompressedSize:	9297
ZipFileName:	09983f8a77b8aec0f5fb58adccf88a38.7z

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\ja33kk.exe" "ja33kk.exe" ENABLE

C:\Windows\System32\netsh.exe

—

ja33kk.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

292

"C:\Users\admin\Desktop\ford.exe"

C:\Users\admin\Desktop\ford.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\ford.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

536

netsh firewall add allowedprogram "C:\Users\admin\Desktop\swagg.exe" "swagg.exe" ENABLE

C:\Windows\System32\netsh.exe

—

swagg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

580

"C:\Users\admin\Desktop\asfjakf.exe"

C:\Users\admin\Desktop\asfjakf.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\asfjakf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

880

"C:\Users\admin\Desktop\STOP.exe"

C:\Users\admin\Desktop\STOP.exe

—

explorer.exe

User:

admin

Company:

Facebook

Integrity Level:

MEDIUM

Description:

QuadAtom 1.0.0.0 Installation

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\stop.exe
c:\windows\system32\ntdll.dll

900

"C:\Users\admin\Desktop\onedrive.exe"

C:\Users\admin\Desktop\onedrive.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

TilesToPicture

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

904

netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE

C:\Windows\System32\netsh.exe

—

Trojan.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

1072

"C:\Users\admin\Desktop\vpn.exe"

C:\Users\admin\Desktop\vpn.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

OneDrive

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\vpn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1212

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Extracted\Authorization form.pdf"

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

click.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe Acrobat Reader DC

Exit code:

Version:

20.13.20064.405839

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1232

"C:\Users\admin\Desktop\click.exe"

C:\Users\admin\Desktop\click.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\click.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

Add for printing

Total events

49 966

Read events

48 995

Write events

965

Delete events

Modification events


(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2708) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3056) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(3056) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	PswAllArchives
Value: 0

Add for printing

Executable files

Suspicious files

213

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\1D3BAEDD747F6F9BF92C81EB9F63B34B.7z		compressed
		MD5:4F0682762FAE4BD3913255A3820B3D33	SHA256:2D1E5FA93A2E7323B4B06076058200B9544791CC6B9DA0624CF881FA54E2F0AC
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\11B79281A25DA1B798574F667C56898B.7z		compressed
		MD5:8385F5F47F395074EA61D30B0847B744	SHA256:7C60406F2B86B7C45B2AD16632EF7F3126DAA10F49435212E5203737D6315B45
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\3B99F596B36ECE7B6ADD78E3B14A3B17.7z		compressed
		MD5:92972DF881DED9C53BBCB5A85C3320BD	SHA256:2B5FB4696246F24F515885CD61DA3A7AFB3DB50D850D229B9264795F3A1AFAE8
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\2164C555F9F23DCA54E76B94B1747480.7z		compressed
		MD5:FD1BA3CC33BDAD36B7D92CE9C2F9E82F	SHA256:B7707EC632E9592DB53F367319147CBA45BC1D5DA94D801CDE4091147ED70F4B
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\24CC5B811A7F9591E7F2CB9A818BE104.7z		compressed
		MD5:A1B003D20BC7814046AC37C88AAA74EC	SHA256:FA1571B1181F58D02D88DF8F005E1EA37E365CDE7F193B8E3283A1EEBB66FB41
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\2BF859EA02AE3340CD66EB5E46B1A704.7z		compressed
		MD5:1B04CB987D1C4B3ACF3C289BB7E00E2D	SHA256:C1CB5D46BDBD5207BD6E1A779849E81EACD6DB5807EE8273E921A98D17CCACCE
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\09983f8a77b8aec0f5fb58adccf88a38.7z		compressed
		MD5:0FBF604DCD4879B92822B53069902CDC	SHA256:0650AA33DE8A54D09B356FA12BB6F8EE6181CA21AC6A18F96B2CDC4B7FEBFB20
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\2013385034E5C8DFBBE47958FD821CA0.7z		compressed
		MD5:0785D656617D0F943D37B61A3417EF38	SHA256:B0AE8BC0C98516B0E6458107D39F45838EE389626BD9EC0FF91D8B82DE2883AB
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\29DAAD42DAFFFAB5E0F1F96D620E7392.7z		compressed
		MD5:613F73AE3E949546325DE71469C46EEA	SHA256:4F91DA0B7EFCB94830BFBB9E4006F3F68592EC4D63FBE57CC64C49BAA111EBF2
2708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2708.45465\4168543695513F767BA44997EBD71431.7z		compressed
		MD5:FDDE7A9A2CB051FA3C6BB66B5E8A0BF2	SHA256:447CA80D482D3DA2F1D5CE35110E84CAAB96D3773FF4FF26AEFC928C6471B0EA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1080	svchost.exe	GET	200	8.241.122.126:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7f20f9dacb9d6c0b	unknown	compressed	4.66 Kb	unknown
1212	AcroRd32.exe	GET	304	2.19.126.76:80	http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_13_20064.zip	unknown	—	—	unknown
1212	AcroRd32.exe	GET	304	2.19.126.76:80	http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_13_20064.zip	unknown	—	—	unknown
1212	AcroRd32.exe	GET	200	46.228.146.0:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5c0c442981aea5e8	unknown	compressed	4.66 Kb	unknown
1212	AcroRd32.exe	GET	200	192.229.221.95:80	http://crl3.digicert.com/DigiCertGlobalRootCA.crl	unknown	binary	779 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2064	aswag.exe	162.125.66.15:80	dl.dropbox.com	DROPBOX	DE	malicious
3240	mann.exe	136.243.111.71:91	musicnote.soundcast.me	Hetzner Online GmbH	DE	unknown
4000	swagg.exe	136.243.111.71:95	musicnote.soundcast.me	Hetzner Online GmbH	DE	unknown
2804	clck.exe	136.243.111.71:91	musicnote.soundcast.me	Hetzner Online GmbH	DE	unknown
2248	msnco.exe	217.66.231.245:1177	—	Palestine Telecommunications Company (PALTEL)	PS	unknown
1696	java.exe	58.158.177.102:288	kyfen.dyndns.biz	ARTERIA Networks Corporation	JP	unknown

DNS requests

Domain	IP	Reputation
dl.dropbox.com	162.125.66.15	shared
wolblid.zapto.org	—	unknown
m3333m.no-ip.org	—	unknown
musicnote.soundcast.me	136.243.111.71	malicious
wisam77.no-ip.biz	—	unknown
kurdkalar11.zapto.org	—	unknown
kyfen.dyndns.biz	58.158.177.102	malicious
mp3.servemp3.com	—	unknown
dr-vip.no-ip.org	—	unknown
alitatat.no-ip.org	0.0.0.0	unknown

Threats

PID	Process	Class	Message
1080	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.zapto .org
1080	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
1080	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.soundcast .me Domain
1080	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.soundcast .me Domain
1080	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .biz TLD
1080	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
1080	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.zapto .org
1080	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .biz TLD
1080	svchost.exe	Misc activity	AV INFO DYNAMIC_DNS Query to *.dyndns. Domain
1080	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.dyndns .biz Domain

Add for printing

No debug info

General Info

NjRat.7z

00E82CE512171EF4A37E89966650A5A0

81532A0CBD007A03F9AB34DA96800B90C8390046

1113C9DD2B16BCFA286F9E477A2FC904F2EC76DDC8BC3D25E5D124AA7B4F1CBF

98304:pxODrDuidmvd/oJPTXbMCSw1EcnZjhJCNTSslACGu7TW4Y2C1il4z5RL05TfSOv7:KOl48Nyp09

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Create files in the Startup directory

NjRAT is detected

Changes the autorun value in the registry

UAC/LUA settings modification

NJRAT has been detected (YARA)

Uses Task Scheduler to run other applications

SUSPICIOUS

Process drops legitimate windows executable

Reads the Internet Settings

Starts itself from another location

Uses NETSH.EXE to add a firewall rule or allowed programs

Reads Microsoft Outlook installation path

Connects to unusual port

Reads Internet Explorer settings

Detected use of alternative data streams (AltDS)

The process creates files with name similar to system file names

Uses RUNDLL32.EXE to load library

INFO

Manual execution by a user

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Creates files or folders in the user directory

Creates files in the program directory

Checks proxy server information

Reads Environment values

Reads mouse settings

Process checks are UAC notifies on

Application launched itself

Malware configuration

NjRat

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests