njrat | bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

83KB
MD5

534f369ccf6412aedd991e525a1e72ff
SHA1

7ac06b4a71634ea87c47aa4d95debaea98728d59
SHA256

bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f
SHA512

fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281
SSDEEP

1536:7eB1Gt0g5eEkG9WQcGDWX3xIEpmugSgytVlVqKu0UxYy0hAc:o1GtR1kG9WQnDWX3xIEpmsLRVqKnUxXB

Score

10^/10

njrat victim defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

staff-tunisia.gl.at.ply.gg:47744

Mutex

3deffefe0e2775360ccb15d96c6aeb42

Attributes

reg_key
3deffefe0e2775360ccb15d96c6aeb42
splitter
Y262SUCZ4UJJ

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe	dllhost.exe

Executes dropped EXE 3 IoCs

pid	Process
2704	dllhost.exe
1760	dllhost.exe
2392	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1420	Payload.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe
2768	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2876	sc.exe
2212	sc.exe
3040	sc.exe
588	sc.exe
2072	sc.exe
1704	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	powershell.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe
2704	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2704	dllhost.exe
2392	dllhost.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: 33	2704	dllhost.exe
Token: SeIncBasePriorityPrivilege	2704	dllhost.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2392	dllhost.exe
Token: 33	2392	dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	dllhost.exe
Token: 33	2392	dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	dllhost.exe
Token: 33	2392	dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	dllhost.exe
Token: 33	2392	dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	dllhost.exe
Token: 33	2392	dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2704	1420	Payload.exe	30
PID 1420 wrote to memory of 2704	1420	Payload.exe	30
PID 1420 wrote to memory of 2704	1420	Payload.exe	30
PID 1420 wrote to memory of 2704	1420	Payload.exe	30
PID 2704 wrote to memory of 3032	2704	dllhost.exe	31
PID 2704 wrote to memory of 3032	2704	dllhost.exe	31
PID 2704 wrote to memory of 3032	2704	dllhost.exe	31
PID 2704 wrote to memory of 3032	2704	dllhost.exe	31
PID 2704 wrote to memory of 1048	2704	dllhost.exe	33
PID 2704 wrote to memory of 1048	2704	dllhost.exe	33
PID 2704 wrote to memory of 1048	2704	dllhost.exe	33
PID 2704 wrote to memory of 1048	2704	dllhost.exe	33
PID 1048 wrote to memory of 2540	1048	cmd.exe	35
PID 1048 wrote to memory of 2540	1048	cmd.exe	35
PID 1048 wrote to memory of 2540	1048	cmd.exe	35
PID 1048 wrote to memory of 2540	1048	cmd.exe	35
PID 2704 wrote to memory of 3004	2704	dllhost.exe	36
PID 2704 wrote to memory of 3004	2704	dllhost.exe	36
PID 2704 wrote to memory of 3004	2704	dllhost.exe	36
PID 2704 wrote to memory of 3004	2704	dllhost.exe	36
PID 3004 wrote to memory of 2072	3004	cmd.exe	38
PID 3004 wrote to memory of 2072	3004	cmd.exe	38
PID 3004 wrote to memory of 2072	3004	cmd.exe	38
PID 3004 wrote to memory of 2072	3004	cmd.exe	38
PID 2704 wrote to memory of 2368	2704	dllhost.exe	39
PID 2704 wrote to memory of 2368	2704	dllhost.exe	39
PID 2704 wrote to memory of 2368	2704	dllhost.exe	39
PID 2704 wrote to memory of 2368	2704	dllhost.exe	39
PID 2368 wrote to memory of 1704	2368	cmd.exe	41
PID 2368 wrote to memory of 1704	2368	cmd.exe	41
PID 2368 wrote to memory of 1704	2368	cmd.exe	41
PID 2368 wrote to memory of 1704	2368	cmd.exe	41
PID 2704 wrote to memory of 1684	2704	dllhost.exe	42
PID 2704 wrote to memory of 1684	2704	dllhost.exe	42
PID 2704 wrote to memory of 1684	2704	dllhost.exe	42
PID 2704 wrote to memory of 1684	2704	dllhost.exe	42
PID 1684 wrote to memory of 2876	1684	cmd.exe	44
PID 1684 wrote to memory of 2876	1684	cmd.exe	44
PID 1684 wrote to memory of 2876	1684	cmd.exe	44
PID 1684 wrote to memory of 2876	1684	cmd.exe	44
PID 2704 wrote to memory of 2892	2704	dllhost.exe	45
PID 2704 wrote to memory of 2892	2704	dllhost.exe	45
PID 2704 wrote to memory of 2892	2704	dllhost.exe	45
PID 2704 wrote to memory of 2892	2704	dllhost.exe	45
PID 2704 wrote to memory of 2904	2704	dllhost.exe	47
PID 2704 wrote to memory of 2904	2704	dllhost.exe	47
PID 2704 wrote to memory of 2904	2704	dllhost.exe	47
PID 2704 wrote to memory of 2904	2704	dllhost.exe	47
PID 2860 wrote to memory of 1760	2860	taskeng.exe	51
PID 2860 wrote to memory of 1760	2860	taskeng.exe	51
PID 2860 wrote to memory of 1760	2860	taskeng.exe	51
PID 2860 wrote to memory of 1760	2860	taskeng.exe	51
PID 2860 wrote to memory of 2392	2860	taskeng.exe	53
PID 2860 wrote to memory of 2392	2860	taskeng.exe	53
PID 2860 wrote to memory of 2392	2860	taskeng.exe	53
PID 2860 wrote to memory of 2392	2860	taskeng.exe	53
PID 2392 wrote to memory of 468	2392	dllhost.exe	54
PID 2392 wrote to memory of 468	2392	dllhost.exe	54
PID 2392 wrote to memory of 468	2392	dllhost.exe	54
PID 2392 wrote to memory of 468	2392	dllhost.exe	54
PID 2392 wrote to memory of 1644	2392	dllhost.exe	56
PID 2392 wrote to memory of 1644	2392	dllhost.exe	56
PID 2392 wrote to memory of 1644	2392	dllhost.exe	56
PID 2392 wrote to memory of 1644	2392	dllhost.exe	56

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3032	attrib.exe
468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc query windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\sc.exe
      sc query windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\sc.exe
      sc stop windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn CleanSweepCheck /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2904

C:\Windows\system32\taskeng.exe
taskeng.exe {788C080E-AD0F-418A-82D4-546722F1D25B} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  C:\Users\Admin\AppData\Roaming\dllhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  C:\Users\Admin\AppData\Roaming\dllhost.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc query windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Windows\SysWOW64\sc.exe
      sc query windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Windows\SysWOW64\sc.exe
      sc stop windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn CleanSweepCheck /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00956c27ee2e7ed0dab9b1810d96f1ee

SHA1
8b3525601e25672b42392318d4a4522701995a2f

SHA256
4465ab4372c23ee91b4eeedbb0df5032a8afad5b19a86518e625bcf2075a8a39

SHA512
a30dcf63281b1c9b9833613cf5f1a9e6b3a817bd86c82e9e5010bc22c600df993a9f0d477c094d090c90e3d2cd2a893ef30c3b637c2bc29313edb08fb97999c3

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
83KB

MD5
534f369ccf6412aedd991e525a1e72ff

SHA1
7ac06b4a71634ea87c47aa4d95debaea98728d59

SHA256
bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

SHA512
fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281

Download Submit
memory/1420-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

Filesize
4KB

Download
memory/1420-1-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-2-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-11-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-10-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-12-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-16-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-19-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download