njrat | 8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DudeCracker V5.exe
Size

7.9MB
MD5

5c176f78c411c199ca2ec02c5b402810
SHA1

a268ccc95b620b1078602c6d6d3447ff3d8874ed
SHA256

8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338
SHA512

ae33004a339422c90f9ea52111804c323499b9cc516584cc54545245c6a8022d80c92ac206ba30dfa07acc932f8ab792164acd1eaff2670092c4a84fd1f88554
SSDEEP

196608:kivKUcQItzA1HeT39Iigwh1ncKOVVtk7KsUnijQFv4F:HDcvC1+TtIiFv0VQhgW/

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

10cpanel.hackcrack.io:33982

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
2196	powershell.exe
3640	powershell.exe
912	powershell.exe
3352	powershell.exe
3820	powershell.exe
2740	powershell.exe
1508	powershell.exe
2200	powershell.exe
2196	powershell.exe
3640	powershell.exe
912	powershell.exe
3352	powershell.exe
3820	powershell.exe
2740	powershell.exe
1508	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2864	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DudeCracker V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 10 IoCs

pid	Process
2280	Setup.exe
4348	Setup.exe
436	DudeCracker V5 .exe
876	svchost.exe
2476	svchost.exe
1748	DudeCracker V5 .exe
4676	explorer.exe
4864	explorer.exe
4736	version.exe
1652	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe
1748	DudeCracker V5 .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1836	cmd.exe
4616	cmd.exe
2160	cmd.exe
1488	cmd.exe
916	cmd.exe
2452	cmd.exe
1872	cmd.exe
2240	cmd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023cd7-37.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3900	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe
4676	explorer.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	svchost.exe
Token: SeDebugPrivilege	876	svchost.exe
Token: SeDebugPrivilege	4676	explorer.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe
Token: 33	1652	explorer.exe
Token: SeIncBasePriorityPrivilege	1652	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	explorer.exe
4676	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2280	3540	DudeCracker V5.exe	126
PID 3540 wrote to memory of 2280	3540	DudeCracker V5.exe	126
PID 3540 wrote to memory of 4348	3540	DudeCracker V5.exe	86
PID 3540 wrote to memory of 4348	3540	DudeCracker V5.exe	86
PID 3540 wrote to memory of 436	3540	DudeCracker V5.exe	87
PID 3540 wrote to memory of 436	3540	DudeCracker V5.exe	87
PID 2280 wrote to memory of 876	2280	Setup.exe	89
PID 2280 wrote to memory of 876	2280	Setup.exe	89
PID 4348 wrote to memory of 2476	4348	Setup.exe	90
PID 4348 wrote to memory of 2476	4348	Setup.exe	90
PID 436 wrote to memory of 1748	436	DudeCracker V5 .exe	91
PID 436 wrote to memory of 1748	436	DudeCracker V5 .exe	91
PID 1748 wrote to memory of 816	1748	DudeCracker V5 .exe	92
PID 1748 wrote to memory of 816	1748	DudeCracker V5 .exe	92
PID 876 wrote to memory of 4676	876	svchost.exe	108
PID 876 wrote to memory of 4676	876	svchost.exe	108
PID 4676 wrote to memory of 3732	4676	explorer.exe	109
PID 4676 wrote to memory of 3732	4676	explorer.exe	109
PID 2476 wrote to memory of 4864	2476	svchost.exe	111
PID 2476 wrote to memory of 4864	2476	svchost.exe	111
PID 4736 wrote to memory of 2160	4736	version.exe	113
PID 4736 wrote to memory of 2160	4736	version.exe	113
PID 4736 wrote to memory of 2240	4736	version.exe	115
PID 4736 wrote to memory of 2240	4736	version.exe	115
PID 4736 wrote to memory of 2452	4736	version.exe	116
PID 4736 wrote to memory of 2452	4736	version.exe	116
PID 4736 wrote to memory of 1872	4736	version.exe	118
PID 4736 wrote to memory of 1872	4736	version.exe	118
PID 4736 wrote to memory of 1836	4736	version.exe	121
PID 4736 wrote to memory of 1836	4736	version.exe	121
PID 4736 wrote to memory of 4616	4736	version.exe	123
PID 4736 wrote to memory of 4616	4736	version.exe	123
PID 4736 wrote to memory of 1488	4736	version.exe	124
PID 4736 wrote to memory of 1488	4736	version.exe	124
PID 4736 wrote to memory of 916	4736	version.exe	127
PID 4736 wrote to memory of 916	4736	version.exe	127
PID 2160 wrote to memory of 3352	2160	cmd.exe	132
PID 2160 wrote to memory of 3352	2160	cmd.exe	132
PID 2240 wrote to memory of 2740	2240	cmd.exe	133
PID 2240 wrote to memory of 2740	2240	cmd.exe	133
PID 1872 wrote to memory of 3820	1872	cmd.exe	134
PID 1872 wrote to memory of 3820	1872	cmd.exe	134
PID 2452 wrote to memory of 1508	2452	cmd.exe	135
PID 2452 wrote to memory of 1508	2452	cmd.exe	135
PID 1836 wrote to memory of 2200	1836	cmd.exe	136
PID 1836 wrote to memory of 2200	1836	cmd.exe	136
PID 4616 wrote to memory of 2196	4616	cmd.exe	137
PID 4616 wrote to memory of 2196	4616	cmd.exe	137
PID 916 wrote to memory of 3640	916	cmd.exe	138
PID 916 wrote to memory of 3640	916	cmd.exe	138
PID 1488 wrote to memory of 912	1488	cmd.exe	139
PID 1488 wrote to memory of 912	1488	cmd.exe	139
PID 1748 wrote to memory of 2968	1748	DudeCracker V5 .exe	141
PID 1748 wrote to memory of 2968	1748	DudeCracker V5 .exe	141
PID 4676 wrote to memory of 1652	4676	explorer.exe	143
PID 4676 wrote to memory of 1652	4676	explorer.exe	143
PID 1652 wrote to memory of 2864	1652	explorer.exe	146
PID 1652 wrote to memory of 2864	1652	explorer.exe	146

C:\Users\Admin\AppData\Local\Temp\DudeCracker V5.exe
"C:\Users\Admin\AppData\Local\Temp\DudeCracker V5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4676
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\ehaeopfd.inf
        5⤵
        
        PID:3732
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2864
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      PID:4864
- C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
  "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
    "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3640

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
8e1e19a5abcce21f8a12921d6a2eeeee

SHA1
b5704368dfd8fc7aeafb15c23b69895e809fe20e

SHA256
22cf24d10cc11a9bb23268f18afbc8f3481c27e1feb4cb42ba5c8775e12720e3

SHA512
48365f858592d677ef5d0e2948f672234898e47a153eec32592a2e079353702a64e41e1aa59250f05bd690690b9edfb8455dfac90c6695fb7c0b6907a057fe78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
319B

MD5
1f4a3f3b5900f2f7ddda4a1565ec4575

SHA1
e2aa4b7330d6f28a4c206b9a11ebc8c80e424bf4

SHA256
39ab4221a84e7c6ec098b7e4fbe41c0df3d2c3e0da386346e9d379698eebfea0

SHA512
5519c59643c237f1678e757b3ea3abeedc9a9e117e119dadfd60bba2f1a1c9be0f622a5f5f82621cac3e42c5ed5e6dff82b3e8b7ad6bcf698a635a63d659e543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
8e9089cad91c0c44ed582752be2e0ba7

SHA1
9f46ad1051543ec908413a8b323fe39d663c82a0

SHA256
d607a7cb2f3bc8a26b58212f8ffa0688610bdb7ed0c455913ca8d39b8f17ca38

SHA512
8a21f2f3d6c229e17c545f5cc09a0614e54a3d84d2bd62b5ba745d942d898e958e09c0216e0f8fffbbc3453f1e47417369be08237a3eeb4e787b7ba40222b8b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe

Filesize
7.4MB

MD5
e3e2fad51a4d21b9632fda09172195fc

SHA1
b878a6f45b40e99f0d8bce2e34d87e0a9718cce1

SHA256
cb390e5d5db3e7812632d3d0b7b1aabf93d3637c2c5fd680dc9efcabcdab7a6f

SHA512
89f6c1e836bb8dfac4715128f1b31fdd0d301b943a07b9795321e7b79a48d705fd2adc4e2a48a38b4b3379b861eea788684753da347bbf190bbd98d7a1a0a140

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\base_library.zip

Filesize
1.3MB

MD5
68f96a1f0b49d240b392ebb7ea147939

SHA1
5d8aa0cccc0f744f17e546ef7120308016cb5438

SHA256
29556cc179d145e9f64d287f0455991bd62a8dc4304e20429f83a1a40959fd09

SHA512
b326d5feb4f9b3d76254240dc3b0d16cb60c0a47d75ab7a1742fe7bb0bdfafff00a9d24a4c84559f1b2b04d23fd4f53d3b8d654532cb7c57c60bb83041331d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdea3lyo.adg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehaeopfd.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
358KB

MD5
59a4e3557cba5cd6e3241bc17cabb577

SHA1
d668b5fc3bd2fdf0b556cc62d863cc663c859d14

SHA256
524f0223999e825f11898e1bac85bcf7526902da9d2796f42a068144cdd0dc53

SHA512
64e3ae8f6ad577fd51446f6013efcd6d4883c7b27effdc89993c17a2b8f4570bee0ae1557fc76483220064b1b799b01b821b8fc5d9180e9d76f10b96ac278ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

Filesize
464KB

MD5
62db257f5b9baf0c157999d1ef677b41

SHA1
1de8cdf12e1ab38611debd85c95c2a5d51ece573

SHA256
b45d0a64ec98f5fd62e681791d3cf586ac13189c2ad3ecf25c6fc54438a8e264

SHA512
4b5c3f3427e4557f27069b246472e827a8b6e36a26856a7ec5906f1bf86c970efb9133eb61ecb8e0eb6c97166ca158d0b3831cc81aac15b406f023dc9ad24272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/2280-20-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2280-17-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2280-58-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2280-18-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/3540-0-0x00007FFBF2D55000-0x00007FFBF2D56000-memory.dmp

Filesize
4KB

Download
memory/3540-38-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/3540-4-0x000000001C6A0000-0x000000001CB6E000-memory.dmp

Filesize
4.8MB

Download
memory/3540-1-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/3540-5-0x000000001CB70000-0x000000001CC0C000-memory.dmp

Filesize
624KB

Download
memory/3540-2-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/3540-3-0x000000001BC50000-0x000000001BCF6000-memory.dmp

Filesize
664KB

Download
memory/3820-117-0x000001AFE09D0000-0x000001AFE09F2000-memory.dmp

Filesize
136KB

Download
memory/4348-40-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/4348-33-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/4348-34-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/4348-59-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/4676-113-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/4676-110-0x000000001AF70000-0x000000001AF78000-memory.dmp

Filesize
32KB

Download