njrat | bd0be20774a92281bace372798dd040d22139c183c75640d234a3df26d4bd089

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HQ Dorks Generator.exe
Size

848KB
MD5

a920b8ebf266ee37c1e114ae12dba6a1
SHA1

ad742e8769fbe8e089707bc3d81f3348b54f6838
SHA256

bd0be20774a92281bace372798dd040d22139c183c75640d234a3df26d4bd089
SHA512

cbb9b70c7fe3ff38b7141ab7a3278b9864b0c1300ea40f374b61f4c062e70aad1fa04efc92415585104c4524f468c0bcbc3d133e0eb12782c1bef599f1c126a4
SSDEEP

12288:0/t6UGM7QsdexpZwbsfxOXurBjpOUREzLw2f1WrG8HXXQG6:RG5+obsfxlrBj0+EzLwW1T8HQ

Score

10^/10

njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

10cpanel.hackcrack.io:33982

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3928	powershell.exe
3476	powershell.exe
4504	powershell.exe
2908	powershell.exe
4660	powershell.exe
3420	powershell.exe
1308	powershell.exe
428	powershell.exe
3476	powershell.exe
4504	powershell.exe
2908	powershell.exe
4660	powershell.exe
3420	powershell.exe
1308	powershell.exe
428	powershell.exe
3928	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3600	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	HQ Dorks Generator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 8 IoCs

pid	Process
2056	Setup.exe
2880	Setup.exe
4388	HQ Dorks Generator .exe
2712	svchost.exe
1796	svchost.exe
1924	explorer.exe
1732	version.exe
208	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4368	cmd.exe
2724	cmd.exe
2076	cmd.exe
4004	cmd.exe
4864	cmd.exe
5000	cmd.exe
1640	cmd.exe
1892	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HQ Dorks Generator .exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2428	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	HQ Dorks Generator .exe
Token: SeDebugPrivilege	1796	svchost.exe
Token: SeDebugPrivilege	2712	svchost.exe
Token: SeDebugPrivilege	1924	explorer.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe
Token: 33	208	explorer.exe
Token: SeIncBasePriorityPrivilege	208	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1924	explorer.exe
1924	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2056	2368	HQ Dorks Generator.exe	82
PID 2368 wrote to memory of 2056	2368	HQ Dorks Generator.exe	82
PID 2368 wrote to memory of 2880	2368	HQ Dorks Generator.exe	83
PID 2368 wrote to memory of 2880	2368	HQ Dorks Generator.exe	83
PID 2368 wrote to memory of 4388	2368	HQ Dorks Generator.exe	84
PID 2368 wrote to memory of 4388	2368	HQ Dorks Generator.exe	84
PID 2368 wrote to memory of 4388	2368	HQ Dorks Generator.exe	84
PID 2880 wrote to memory of 2712	2880	Setup.exe	85
PID 2880 wrote to memory of 2712	2880	Setup.exe	85
PID 2056 wrote to memory of 1796	2056	Setup.exe	86
PID 2056 wrote to memory of 1796	2056	Setup.exe	86
PID 1796 wrote to memory of 1924	1796	svchost.exe	94
PID 1796 wrote to memory of 1924	1796	svchost.exe	94
PID 1924 wrote to memory of 4100	1924	explorer.exe	95
PID 1924 wrote to memory of 4100	1924	explorer.exe	95
PID 1732 wrote to memory of 2724	1732	version.exe	98
PID 1732 wrote to memory of 2724	1732	version.exe	98
PID 1732 wrote to memory of 2076	1732	version.exe	100
PID 1732 wrote to memory of 2076	1732	version.exe	100
PID 1732 wrote to memory of 4004	1732	version.exe	102
PID 1732 wrote to memory of 4004	1732	version.exe	102
PID 2724 wrote to memory of 3420	2724	cmd.exe	104
PID 2724 wrote to memory of 3420	2724	cmd.exe	104
PID 1732 wrote to memory of 4864	1732	version.exe	105
PID 1732 wrote to memory of 4864	1732	version.exe	105
PID 1732 wrote to memory of 5000	1732	version.exe	107
PID 1732 wrote to memory of 5000	1732	version.exe	107
PID 1732 wrote to memory of 1640	1732	version.exe	108
PID 1732 wrote to memory of 1640	1732	version.exe	108
PID 4864 wrote to memory of 1308	4864	cmd.exe	112
PID 4864 wrote to memory of 1308	4864	cmd.exe	112
PID 1732 wrote to memory of 1892	1732	version.exe	111
PID 1732 wrote to memory of 1892	1732	version.exe	111
PID 1732 wrote to memory of 4368	1732	version.exe	114
PID 1732 wrote to memory of 4368	1732	version.exe	114
PID 4004 wrote to memory of 428	4004	cmd.exe	115
PID 4004 wrote to memory of 428	4004	cmd.exe	115
PID 2076 wrote to memory of 3928	2076	cmd.exe	118
PID 2076 wrote to memory of 3928	2076	cmd.exe	118
PID 5000 wrote to memory of 3476	5000	cmd.exe	120
PID 5000 wrote to memory of 3476	5000	cmd.exe	120
PID 1640 wrote to memory of 4504	1640	cmd.exe	121
PID 1640 wrote to memory of 4504	1640	cmd.exe	121
PID 4368 wrote to memory of 2908	4368	cmd.exe	122
PID 4368 wrote to memory of 2908	4368	cmd.exe	122
PID 1892 wrote to memory of 4660	1892	cmd.exe	123
PID 1892 wrote to memory of 4660	1892	cmd.exe	123
PID 1924 wrote to memory of 208	1924	explorer.exe	126
PID 1924 wrote to memory of 208	1924	explorer.exe	126
PID 208 wrote to memory of 3600	208	explorer.exe	128
PID 208 wrote to memory of 3600	208	explorer.exe	128

C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator.exe
"C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1924
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\oqojv2ds.inf
        5⤵
        
        PID:4100
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3600
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe
  "C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
2f142977932b7837fa1cc70278e53361

SHA1
0a3212d221079671bfdeee176ad841e6f15904fc

SHA256
961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

SHA512
a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe

Filesize
352KB

MD5
047f6a433933c39cde9f6025d5d1a9cd

SHA1
29ce4ed295f8bdb648abfdb3fa43daa320573fca

SHA256
87260300a5d5575a76dd44c3f0ae8c4bad7e94000990d67c9e7fffcedb586473

SHA512
9227991f2126d7948ccb30c80d62162b82e12119edf5c9503a19b60d4b6b2bfe899536e7df47d960ec1128e70bb30a1fa0c93557e9d179c144298d133448d065

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovicgkub.vms.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqojv2ds.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
358KB

MD5
59a4e3557cba5cd6e3241bc17cabb577

SHA1
d668b5fc3bd2fdf0b556cc62d863cc663c859d14

SHA256
524f0223999e825f11898e1bac85bcf7526902da9d2796f42a068144cdd0dc53

SHA512
64e3ae8f6ad577fd51446f6013efcd6d4883c7b27effdc89993c17a2b8f4570bee0ae1557fc76483220064b1b799b01b821b8fc5d9180e9d76f10b96ac278ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
140KB

MD5
bbf128484e7ea29053c6db91849067ea

SHA1
c46ec37265740c349fb265099e47ebbef9369ba1

SHA256
5e6f03b5ae15131c2ad374c563273389b3340168ff647433a6b5e7acce468b05

SHA512
aeb756d2b2238eaa16a82673b6a86b609320abd6eafc4b742d0f5a9fe88fbbf34a1fd7e6ad9d2f30a832e288a3d7b725a73f83616df1d3edee92c8fd06984e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/428-175-0x0000018E3B3D0000-0x0000018E3B53A000-memory.dmp

Filesize
1.4MB

Download
memory/428-102-0x0000018E3AE10000-0x0000018E3AE32000-memory.dmp

Filesize
136KB

Download
memory/1308-168-0x000001FE707E0000-0x000001FE7094A000-memory.dmp

Filesize
1.4MB

Download
memory/1924-88-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1924-91-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2056-58-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2056-18-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2056-19-0x0000000000AB0000-0x0000000000ADC000-memory.dmp

Filesize
176KB

Download
memory/2368-2-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2368-46-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2368-3-0x000000001C150000-0x000000001C61E000-memory.dmp

Filesize
4.8MB

Download
memory/2368-0-0x00007FFD35695000-0x00007FFD35696000-memory.dmp

Filesize
4KB

Download
memory/2368-4-0x000000001C6C0000-0x000000001C75C000-memory.dmp

Filesize
624KB

Download
memory/2368-5-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2368-1-0x000000001BBD0000-0x000000001BC76000-memory.dmp

Filesize
664KB

Download
memory/2712-55-0x00000000015A0000-0x00000000015A8000-memory.dmp

Filesize
32KB

Download
memory/2880-57-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2880-33-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2880-35-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2880-45-0x00007FFD353E0000-0x00007FFD35D81000-memory.dmp

Filesize
9.6MB

Download
memory/2908-183-0x0000022E7C4A0000-0x0000022E7C60A000-memory.dmp

Filesize
1.4MB

Download
memory/3420-174-0x0000023A3E100000-0x0000023A3E26A000-memory.dmp

Filesize
1.4MB

Download
memory/3476-189-0x000001D670BB0000-0x000001D670D1A000-memory.dmp

Filesize
1.4MB

Download
memory/3928-178-0x0000010B67380000-0x0000010B674EA000-memory.dmp

Filesize
1.4MB

Download
memory/4388-64-0x0000000007550000-0x0000000007590000-memory.dmp

Filesize
256KB

Download
memory/4388-59-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/4388-60-0x0000000004E50000-0x0000000004EA6000-memory.dmp

Filesize
344KB

Download
memory/4388-50-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4388-49-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/4388-48-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/4388-47-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/4504-184-0x000002CD3EDD0000-0x000002CD3EF3A000-memory.dmp

Filesize
1.4MB

Download
memory/4660-190-0x0000020CE9C40000-0x0000020CE9DAA000-memory.dmp

Filesize
1.4MB

Download