njrat | 8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338

Analysis

max time kernel
209s
max time network
210s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DudeCracker V5.exe
Size

7.9MB
MD5

5c176f78c411c199ca2ec02c5b402810
SHA1

a268ccc95b620b1078602c6d6d3447ff3d8874ed
SHA256

8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338
SHA512

ae33004a339422c90f9ea52111804c323499b9cc516584cc54545245c6a8022d80c92ac206ba30dfa07acc932f8ab792164acd1eaff2670092c4a84fd1f88554
SSDEEP

196608:kivKUcQItzA1HeT39Iigwh1ncKOVVtk7KsUnijQFv4F:HDcvC1+TtIiFv0VQhgW/

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

10cpanel.hackcrack.io:33982

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
4800	powershell.exe
2856	powershell.exe
2864	powershell.exe
1864	powershell.exe
2556	powershell.exe
3220	powershell.exe
4588	powershell.exe
2864	powershell.exe
1864	powershell.exe
2556	powershell.exe
3220	powershell.exe
4588	powershell.exe
4940	powershell.exe
4800	powershell.exe
2856	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4656	netsh.exe

Executes dropped EXE 10 IoCs

pid	Process
2416	Setup.exe
2668	Setup.exe
1396	DudeCracker V5 .exe
3560	svchost.exe
3640	DudeCracker V5 .exe
2960	svchost.exe
2044	explorer.exe
2544	version.exe
3568	explorer.exe
3228	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe
3640	DudeCracker V5 .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2492	cmd.exe
2252	cmd.exe
1548	cmd.exe
2900	cmd.exe
2836	cmd.exe
884	cmd.exe
3696	cmd.exe
1564	cmd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x001e00000002aa94-32.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4984	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeDebugPrivilege	3560	svchost.exe
Token: SeDebugPrivilege	2044	explorer.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe
Token: 33	3228	explorer.exe
Token: SeIncBasePriorityPrivilege	3228	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2044	explorer.exe
2044	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2416	3596	DudeCracker V5.exe	77
PID 3596 wrote to memory of 2416	3596	DudeCracker V5.exe	77
PID 3596 wrote to memory of 2668	3596	DudeCracker V5.exe	78
PID 3596 wrote to memory of 2668	3596	DudeCracker V5.exe	78
PID 3596 wrote to memory of 1396	3596	DudeCracker V5.exe	79
PID 3596 wrote to memory of 1396	3596	DudeCracker V5.exe	79
PID 2668 wrote to memory of 3560	2668	Setup.exe	81
PID 2668 wrote to memory of 3560	2668	Setup.exe	81
PID 1396 wrote to memory of 3640	1396	DudeCracker V5 .exe	82
PID 1396 wrote to memory of 3640	1396	DudeCracker V5 .exe	82
PID 2416 wrote to memory of 2960	2416	Setup.exe	83
PID 2416 wrote to memory of 2960	2416	Setup.exe	83
PID 3640 wrote to memory of 4632	3640	DudeCracker V5 .exe	84
PID 3640 wrote to memory of 4632	3640	DudeCracker V5 .exe	84
PID 3640 wrote to memory of 3052	3640	DudeCracker V5 .exe	85
PID 3640 wrote to memory of 3052	3640	DudeCracker V5 .exe	85
PID 2960 wrote to memory of 2044	2960	svchost.exe	86
PID 2960 wrote to memory of 2044	2960	svchost.exe	86
PID 2044 wrote to memory of 1544	2044	explorer.exe	87
PID 2044 wrote to memory of 1544	2044	explorer.exe	87
PID 2544 wrote to memory of 3696	2544	version.exe	90
PID 2544 wrote to memory of 3696	2544	version.exe	90
PID 2544 wrote to memory of 1564	2544	version.exe	91
PID 2544 wrote to memory of 1564	2544	version.exe	91
PID 2544 wrote to memory of 1548	2544	version.exe	94
PID 2544 wrote to memory of 1548	2544	version.exe	94
PID 2544 wrote to memory of 2492	2544	version.exe	95
PID 2544 wrote to memory of 2492	2544	version.exe	95
PID 2544 wrote to memory of 2252	2544	version.exe	96
PID 2544 wrote to memory of 2252	2544	version.exe	96
PID 2544 wrote to memory of 2900	2544	version.exe	98
PID 2544 wrote to memory of 2900	2544	version.exe	98
PID 2544 wrote to memory of 2836	2544	version.exe	101
PID 2544 wrote to memory of 2836	2544	version.exe	101
PID 2544 wrote to memory of 884	2544	version.exe	102
PID 2544 wrote to memory of 884	2544	version.exe	102
PID 3696 wrote to memory of 1864	3696	cmd.exe	108
PID 3696 wrote to memory of 1864	3696	cmd.exe	108
PID 1564 wrote to memory of 2556	1564	cmd.exe	109
PID 1564 wrote to memory of 2556	1564	cmd.exe	109
PID 1548 wrote to memory of 3220	1548	cmd.exe	110
PID 1548 wrote to memory of 3220	1548	cmd.exe	110
PID 2492 wrote to memory of 4588	2492	cmd.exe	111
PID 2492 wrote to memory of 4588	2492	cmd.exe	111
PID 2252 wrote to memory of 4940	2252	cmd.exe	112
PID 2252 wrote to memory of 4940	2252	cmd.exe	112
PID 884 wrote to memory of 4800	884	cmd.exe	114
PID 884 wrote to memory of 4800	884	cmd.exe	114
PID 2836 wrote to memory of 2856	2836	cmd.exe	115
PID 2836 wrote to memory of 2856	2836	cmd.exe	115
PID 2900 wrote to memory of 2864	2900	cmd.exe	116
PID 2900 wrote to memory of 2864	2900	cmd.exe	116
PID 3560 wrote to memory of 3568	3560	svchost.exe	117
PID 3560 wrote to memory of 3568	3560	svchost.exe	117
PID 2044 wrote to memory of 3228	2044	explorer.exe	118
PID 2044 wrote to memory of 3228	2044	explorer.exe	118
PID 3228 wrote to memory of 4656	3228	explorer.exe	119
PID 3228 wrote to memory of 4656	3228	explorer.exe	119

C:\Users\Admin\AppData\Local\Temp\DudeCracker V5.exe
"C:\Users\Admin\AppData\Local\Temp\DudeCracker V5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2044
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\zqngw1rv.inf
        5⤵
        
        PID:1544
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4656
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      PID:3568
- C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
  "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
    "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3052

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4800

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
b086782ac488892b614985f9355a4979

SHA1
85f1537da0120829dcabae7c4d6334e614c738eb

SHA256
196110ae45d16c909675bf3106c8794312b7b5520c2555842481dc0c9bd5a88d

SHA512
15401e81b4aaca10b999b68858d05f1e410ea7417b5bbabb22e4f3a487e714bdedf430eec92a154444ea4f0844b70052a8e4dd0be80b9cc35d1fc189a41b55a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
6ce69501f5fc3d86b1afc0db36c79332

SHA1
598dd8d64c8870ea53b94344c5bc72b8a3b68bae

SHA256
4ab4048bb34a5c22aedbf69b5db0e940456ca0428b6a6eb315cd7abd3b02287f

SHA512
ce9563c8d707043de9ddd2e9fcc892ab04093823c0c2c53a2c2137a55d2fcce6df966a7a71e48568ec4a2391b2227f9f8282f240aa66c088dfbdd43d76e01b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
74cb6d78314d7fdaaf7119fe006bcfd9

SHA1
be787e0eb70c3a8732dffecae56f4002e5b16f75

SHA256
a42326016fe054353c71343d7c48e072d30f7426503637175add202f5b20947b

SHA512
31f4c81ccb1788f242f2fbd3889c532f929a64f94cdd54687814e2e9637951122afe7c451abf176adfa7328044ceac0758ddadf541a79f5b033400129851dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe

Filesize
7.4MB

MD5
e3e2fad51a4d21b9632fda09172195fc

SHA1
b878a6f45b40e99f0d8bce2e34d87e0a9718cce1

SHA256
cb390e5d5db3e7812632d3d0b7b1aabf93d3637c2c5fd680dc9efcabcdab7a6f

SHA512
89f6c1e836bb8dfac4715128f1b31fdd0d301b943a07b9795321e7b79a48d705fd2adc4e2a48a38b4b3379b861eea788684753da347bbf190bbd98d7a1a0a140

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\base_library.zip

Filesize
1.3MB

MD5
68f96a1f0b49d240b392ebb7ea147939

SHA1
5d8aa0cccc0f744f17e546ef7120308016cb5438

SHA256
29556cc179d145e9f64d287f0455991bd62a8dc4304e20429f83a1a40959fd09

SHA512
b326d5feb4f9b3d76254240dc3b0d16cb60c0a47d75ab7a1742fe7bb0bdfafff00a9d24a4c84559f1b2b04d23fd4f53d3b8d654532cb7c57c60bb83041331d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3syxkaph.m0z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqngw1rv.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
358KB

MD5
59a4e3557cba5cd6e3241bc17cabb577

SHA1
d668b5fc3bd2fdf0b556cc62d863cc663c859d14

SHA256
524f0223999e825f11898e1bac85bcf7526902da9d2796f42a068144cdd0dc53

SHA512
64e3ae8f6ad577fd51446f6013efcd6d4883c7b27effdc89993c17a2b8f4570bee0ae1557fc76483220064b1b799b01b821b8fc5d9180e9d76f10b96ac278ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

Filesize
464KB

MD5
62db257f5b9baf0c157999d1ef677b41

SHA1
1de8cdf12e1ab38611debd85c95c2a5d51ece573

SHA256
b45d0a64ec98f5fd62e681791d3cf586ac13189c2ad3ecf25c6fc54438a8e264

SHA512
4b5c3f3427e4557f27069b246472e827a8b6e36a26856a7ec5906f1bf86c970efb9133eb61ecb8e0eb6c97166ca158d0b3831cc81aac15b406f023dc9ad24272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
124KB

MD5
287c4ef4138442be3996d52619f9e7d3

SHA1
2a64f031df9e950aec105ac2eaf6cf0932bda940

SHA256
686f17451faf52211e0b477c8b4dee8666eebc7332e5b429fa7f478aeece5b00

SHA512
a980b88c60bc4f5d8a6a233a24faf20aa4de697475492945208ddbe628f55a6f4a88ca945f6d1fdf147bd62e02cb103537b56083413e82763f74fcb9696cb6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/1864-122-0x000001F7B4DD0000-0x000001F7B4DF2000-memory.dmp

Filesize
136KB

Download
memory/2044-109-0x000000001BB90000-0x000000001BB98000-memory.dmp

Filesize
32KB

Download
memory/2044-112-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/2416-19-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/2416-18-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/2416-88-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/2416-21-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/2668-59-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/2668-34-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/3596-39-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/3596-0-0x00007FFF4C0A5000-0x00007FFF4C0A6000-memory.dmp

Filesize
4KB

Download
memory/3596-5-0x000000001C8A0000-0x000000001C93C000-memory.dmp

Filesize
624KB

Download
memory/3596-3-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download
memory/3596-4-0x000000001CE40000-0x000000001D30E000-memory.dmp

Filesize
4.8MB

Download
memory/3596-2-0x000000001C2C0000-0x000000001C366000-memory.dmp

Filesize
664KB

Download
memory/3596-1-0x00007FFF4BDF0000-0x00007FFF4C791000-memory.dmp

Filesize
9.6MB

Download