njrat | f5df17fe1d42b1bcb04578bc05f1ae9787d12ebb5c18cf4df18c861120be0532

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CROCODILEJFDHJRTA.exe
Size

2.1MB
MD5

149f649f898409182fcad1ef424ca4cf
SHA1

89098a69e94ed941385bc2ebf00cd8d3c4e47450
SHA256

f5df17fe1d42b1bcb04578bc05f1ae9787d12ebb5c18cf4df18c861120be0532
SHA512

3dbba29127add72bf5e4f3c7ef5e24d4f693d67b28b2650b0a2364a17274fc0967387ca860ec5d619e40c884b54af41fb9c54425e2aaaa4e3e7555d998ce9a06
SSDEEP

49152:6XtCE3Q3PNxLtxcpMLtxcpVLtxcpNCCjAli9LrLtxcF6+zI:UCl1cpkcpxcpNCdCXcF6+U

Score

10^/10

njrat wolfhack2025 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

WolfHack2025

MyGokerMan.casacam.net:1177

Mutex

2fb285a3ab85d98e0058730eba4d5b56

Attributes

reg_key
2fb285a3ab85d98e0058730eba4d5b56
splitter
|'|'|

Extracted

Family

njrat

Version

v2.0

Botnet

WolfHack2025

MyGokerMan.casacam.net:5552

Mutex

Chrowin3285550

Attributes

reg_key
Chrowin3285550
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1976	netsh.exe
2968	netsh.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.lnk	Chrowin32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fb285a3ab85d98e0058730eba4d5b56.exe	svchots.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fb285a3ab85d98e0058730eba4d5b56.exe	svchots.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afe4974d1ba5b33cd1f1577f919e7de5.exe	wincheon64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afe4974d1ba5b33cd1f1577f919e7de5.exe	wincheon64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.exe	Chrowin32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.exe	Chrowin32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.lnk	2.EXE

Executes dropped EXE 9 IoCs

pid	Process
1756	Gaming.exe
2632	GameHarroer.exe
1692	3.EXE
2920	4.EXE
2908	1.EXE
2704	2.EXE
2284	wincheon64.exe
3024	svchots.exe
2332	Chrowin32.exe

Loads dropped DLL 11 IoCs

pid	Process
2240	CROCODILEJFDHJRTA.exe
2240	CROCODILEJFDHJRTA.exe
2240	CROCODILEJFDHJRTA.exe
2632	GameHarroer.exe
2632	GameHarroer.exe
2632	GameHarroer.exe
2920	4.EXE
2920	4.EXE
1692	3.EXE
2908	1.EXE
2704	2.EXE

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fb285a3ab85d98e0058730eba4d5b56 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchots.exe\" .."	svchots.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2fb285a3ab85d98e0058730eba4d5b56 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchots.exe\" .."	svchots.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afe4974d1ba5b33cd1f1577f919e7de5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wincheon64.exe\" .."	wincheon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afe4974d1ba5b33cd1f1577f919e7de5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wincheon64.exe\" .."	wincheon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrowin32855502 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrowin3285550.URL"	Chrowin32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrowin32855502 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrowin32.exe"	2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Chrowin32855502 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrowin3285550.URL"	Chrowin32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrowin3285550 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrowin3285550.URL"	Chrowin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Chrowin3285550 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrowin3285550.URL"	Chrowin32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CROCODILEJFDHJRTA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameHarroer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaming.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrowin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wincheon64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchots.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe
1756	Gaming.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	Gaming.exe
Token: SeDebugPrivilege	3024	svchots.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: SeDebugPrivilege	2284	wincheon64.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: SeDebugPrivilege	2332	Chrowin32.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe
Token: 33	2284	wincheon64.exe
Token: SeIncBasePriorityPrivilege	2284	wincheon64.exe
Token: 33	2332	Chrowin32.exe
Token: SeIncBasePriorityPrivilege	2332	Chrowin32.exe
Token: 33	3024	svchots.exe
Token: SeIncBasePriorityPrivilege	3024	svchots.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1756	2240	CROCODILEJFDHJRTA.exe	30
PID 2240 wrote to memory of 1756	2240	CROCODILEJFDHJRTA.exe	30
PID 2240 wrote to memory of 1756	2240	CROCODILEJFDHJRTA.exe	30
PID 2240 wrote to memory of 1756	2240	CROCODILEJFDHJRTA.exe	30
PID 2240 wrote to memory of 2632	2240	CROCODILEJFDHJRTA.exe	31
PID 2240 wrote to memory of 2632	2240	CROCODILEJFDHJRTA.exe	31
PID 2240 wrote to memory of 2632	2240	CROCODILEJFDHJRTA.exe	31
PID 2240 wrote to memory of 2632	2240	CROCODILEJFDHJRTA.exe	31
PID 2632 wrote to memory of 1692	2632	GameHarroer.exe	33
PID 2632 wrote to memory of 1692	2632	GameHarroer.exe	33
PID 2632 wrote to memory of 1692	2632	GameHarroer.exe	33
PID 2632 wrote to memory of 1692	2632	GameHarroer.exe	33
PID 2632 wrote to memory of 2920	2632	GameHarroer.exe	34
PID 2632 wrote to memory of 2920	2632	GameHarroer.exe	34
PID 2632 wrote to memory of 2920	2632	GameHarroer.exe	34
PID 2632 wrote to memory of 2920	2632	GameHarroer.exe	34
PID 2920 wrote to memory of 2908	2920	4.EXE	35
PID 2920 wrote to memory of 2908	2920	4.EXE	35
PID 2920 wrote to memory of 2908	2920	4.EXE	35
PID 2920 wrote to memory of 2908	2920	4.EXE	35
PID 2920 wrote to memory of 2704	2920	4.EXE	36
PID 2920 wrote to memory of 2704	2920	4.EXE	36
PID 2920 wrote to memory of 2704	2920	4.EXE	36
PID 2920 wrote to memory of 2704	2920	4.EXE	36
PID 1692 wrote to memory of 2284	1692	3.EXE	37
PID 1692 wrote to memory of 2284	1692	3.EXE	37
PID 1692 wrote to memory of 2284	1692	3.EXE	37
PID 1692 wrote to memory of 2284	1692	3.EXE	37
PID 2908 wrote to memory of 3024	2908	1.EXE	38
PID 2908 wrote to memory of 3024	2908	1.EXE	38
PID 2908 wrote to memory of 3024	2908	1.EXE	38
PID 2908 wrote to memory of 3024	2908	1.EXE	38
PID 2704 wrote to memory of 2332	2704	2.EXE	39
PID 2704 wrote to memory of 2332	2704	2.EXE	39
PID 2704 wrote to memory of 2332	2704	2.EXE	39
PID 2704 wrote to memory of 2332	2704	2.EXE	39
PID 2704 wrote to memory of 1096	2704	2.EXE	40
PID 2704 wrote to memory of 1096	2704	2.EXE	40
PID 2704 wrote to memory of 1096	2704	2.EXE	40
PID 2704 wrote to memory of 1096	2704	2.EXE	40
PID 3024 wrote to memory of 1976	3024	svchots.exe	42
PID 3024 wrote to memory of 1976	3024	svchots.exe	42
PID 3024 wrote to memory of 1976	3024	svchots.exe	42
PID 3024 wrote to memory of 1976	3024	svchots.exe	42
PID 2284 wrote to memory of 2968	2284	wincheon64.exe	44
PID 2284 wrote to memory of 2968	2284	wincheon64.exe	44
PID 2284 wrote to memory of 2968	2284	wincheon64.exe	44
PID 2284 wrote to memory of 2968	2284	wincheon64.exe	44

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe
"C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\Gaming.exe
  "C:\Users\Admin\AppData\Local\Temp\Gaming.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
  "C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\3.EXE
    "C:\Users\Admin\AppData\Local\Temp\3.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\wincheon64.exe
      "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe" "wincheon64.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2968
- - C:\Users\Admin\AppData\Local\Temp\4.EXE
    "C:\Users\Admin\AppData\Local\Temp\4.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\svchots.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchots.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchots.exe" "svchots.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\2.EXE
      "C:\Users\Admin\AppData\Local\Temp\2.EXE"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe

Filesize
202KB

MD5
90de032c5bc78043531d08ed1bf8ec19

SHA1
edd41ecf58e32c3f57ba90ee2fcf3d0e4a9c2cf1

SHA256
98df5e2377549819b17759d05406f3c97711a76836aa2bf427ef08045b5ef80d

SHA512
5ec5e7a4c35312bf7be5a3353aab857e98c7c0d68188a0b488574027236d1c14118924d500d82d11814c59f85d572226da71620d818d1df49eac95dac080ed8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.lnk

Filesize
1KB

MD5
cd6069f41b569f1444b2966a9a38f9b6

SHA1
d1dbf44c7041f248d2c0e8fdec87bcc516019310

SHA256
44142f297eafbd2d3a0df73ce7c299e58c71584ada25e506b094451f1a097a33

SHA512
f216eab61db69c31dbf731d29770fa97998ab341078cdf9d48ef890a9be9633d0f15b35c8830604076bb4946485804ec290969dd192e1d84d237b4a5aff3431d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrowin3285550.lnk

Filesize
1KB

MD5
9f32dd89453ebd1dc391c18b1f841efb

SHA1
e8cca38f38b68b80824df279fef21d4e5957f2bf

SHA256
33e4bbb56c84a33d9df2937f4ef831627ff59f164ceb1f0a2863a51dd833c2fe

SHA512
a0ad5521642ab3057c2c1517f12be6f5cdb3e50ab90e7a54ee800f6e8737a1a5a7d3c27b459570eb207f1dde96c33e6dbe3fb30529d4c4cba2f1c4718d6f9dac

Download Submit
\Users\Admin\AppData\Local\Temp\1.EXE

Filesize
37KB

MD5
c6a973c4f6ea4969cae1c41d25c5d78c

SHA1
12efa1281e57437119df3c8488cd4daadabc80c3

SHA256
5a93d1082d4fa0b442f3bf42066a22cdba8f32f2d50dbc1dd9f4db81fa73b496

SHA512
4d03fb5bdf9cf340b0a6809858f8da2d0e834f58cfb2182828e16b9a5faae5aeae154c5f7643298e54b3f0e1b8f33265bad82191b9a58bc3dadf3d4f99adb25e

Download Submit
\Users\Admin\AppData\Local\Temp\2.EXE

Filesize
27KB

MD5
a5d943b57ae77aab0788d29333ab1227

SHA1
4d94e5d4ec4822f4562042216e614c3dddf447c1

SHA256
2b7eb9a069471b3547adbfcb21c0d76424ba07b5a556693e377bd72223447b6f

SHA512
d46dc2c74679c33d0a981b297e24a142393ce06e063cd2a859b375beb0d5b0fa134ca3241bdbc01f77f02ad85ac3cf697bed640cb708449051c855412b9fce0b

Download Submit
\Users\Admin\AppData\Local\Temp\3.EXE

Filesize
32KB

MD5
4f5d50f723896266e70dbb5a0e72ff21

SHA1
d3b1fe30f1baaf9e1d34baeb3eaf75619129e490

SHA256
83ed6bee9f71403ad9f43b467b99205230e043833a3d014964e79e603613879d

SHA512
a8e7ae8aa0a03ccf82be1a58595a17642c8045cf9886266f74ca72b8a23485e9e011ec2018fc9ebd6a9f5c69c5583cc6951ef3320d87037d5f2a8ebc2e6a16e6

Download Submit
\Users\Admin\AppData\Local\Temp\4.EXE

Filesize
117KB

MD5
89514d6d4e78ab9f33f24f99ea3b1361

SHA1
5e055754b253e2814a1d081a66236b583d982a8b

SHA256
8da8b662e1e221793959653c7fb940e2313e5cab2325a3dd7392380924f6129a

SHA512
c81f102c4579ad0f27dfcb60aacd22f351f13f988e4a8080092edb64cef9b4006298e94ce55f6d5cff0aef07e5eb7fa2a6c981b8023f9f1827df387d497f7fb9

Download Submit
\Users\Admin\AppData\Local\Temp\Gaming.exe

Filesize
1.5MB

MD5
205604c1ca8e135124962cd5a04b3ca9

SHA1
1d4816032549ad0d2e64d95a873034a80ef3744b

SHA256
b95b972f8212de7598ec32e544b5689c6f9b4beef8c2fdc41b5ca5a7b11e3ce8

SHA512
69c189b597ce3ad37aad873f224faa439c085cb7af3594cedcdbe0100d41ec4f61c2eb161e698cacdacb5d198e388b1896a5f4b8250ee910690c6cc53f14cdf6

Download Submit
memory/1756-50-0x00000000002A0000-0x0000000000428000-memory.dmp

Filesize
1.5MB

Download
memory/2240-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/2240-20-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download