njrat | 4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f

Analysis

max time kernel
239s
max time network
245s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

рат 3 стадия.exe
Size

11.3MB
MD5

27d9f65b4d7ea7f8dc76517c634be635
SHA1

4baa5a473b5780ba33e749e43ef7363464bf6968
SHA256

4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f
SHA512

b90fd210c34da79d1d7d526b1e8178c1e7fb0e5a1550eacec3492bf5843073edaa0369f7a0c81ab0996c88a20c742e385bace606b404caa5c513cbf1af68f9cc
SSDEEP

196608:Zqwdlup6/j7AGXyaP+RtZoPlbxfxKLZtz4uIZoGSV1gJCUepeNxJvLW7snujIvgB:xup6lXeY5ol4uIZoG0dUQeN71ucvgB99

Score

10^/10

njrat defense_evasion discovery execution persistence pyinstaller trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0df0fb8528c3682ecb940bc2e38a6ae.exe	ASIO Plugin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0df0fb8528c3682ecb940bc2e38a6ae.exe	ASIO Plugin.exe

Executes dropped EXE 7 IoCs

pid	Process
2528	SCAN_MINECRAFT_F.exe
2948	RTP_Launcher.exe
2780	Payload.sfx.exe
2316	Payload.exe
3008	SCAN_MINECRAFT_F.exe
1992	ASIO Plugin.exe
3032	5b8f934b5e454649be5c76f6e9222c0c.exe

Loads dropped DLL 17 IoCs

pid	Process
2320	рат 3 стадия.exe
2832	Process not Found
2320	рат 3 стадия.exe
2948	RTP_Launcher.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
3008	SCAN_MINECRAFT_F.exe
2316	Payload.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0df0fb8528c3682ecb940bc2e38a6ae = "\"C:\\Users\\Admin\\AppData\\Roaming\\ASIO Plugin.exe\" .."	ASIO Plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d0df0fb8528c3682ecb940bc2e38a6ae = "\"C:\\Users\\Admin\\AppData\\Roaming\\ASIO Plugin.exe\" .."	ASIO Plugin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2376	sc.exe
1744	sc.exe
1712	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000019470-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASIO Plugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2456	cmd.exe
2292	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2292	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2276	powershell.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe
1992	ASIO Plugin.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2264	taskmgr.exe
1992	ASIO Plugin.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	taskmgr.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe
Token: 33	1992	ASIO Plugin.exe
Token: SeIncBasePriorityPrivilege	1992	ASIO Plugin.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe
2264	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2528	2320	рат 3 стадия.exe	29
PID 2320 wrote to memory of 2528	2320	рат 3 стадия.exe	29
PID 2320 wrote to memory of 2528	2320	рат 3 стадия.exe	29
PID 2320 wrote to memory of 2948	2320	рат 3 стадия.exe	31
PID 2320 wrote to memory of 2948	2320	рат 3 стадия.exe	31
PID 2320 wrote to memory of 2948	2320	рат 3 стадия.exe	31
PID 2948 wrote to memory of 2780	2948	RTP_Launcher.exe	32
PID 2948 wrote to memory of 2780	2948	RTP_Launcher.exe	32
PID 2948 wrote to memory of 2780	2948	RTP_Launcher.exe	32
PID 2780 wrote to memory of 2316	2780	Payload.sfx.exe	33
PID 2780 wrote to memory of 2316	2780	Payload.sfx.exe	33
PID 2780 wrote to memory of 2316	2780	Payload.sfx.exe	33
PID 2780 wrote to memory of 2316	2780	Payload.sfx.exe	33
PID 2528 wrote to memory of 3008	2528	SCAN_MINECRAFT_F.exe	34
PID 2528 wrote to memory of 3008	2528	SCAN_MINECRAFT_F.exe	34
PID 2528 wrote to memory of 3008	2528	SCAN_MINECRAFT_F.exe	34
PID 2316 wrote to memory of 1992	2316	Payload.exe	35
PID 2316 wrote to memory of 1992	2316	Payload.exe	35
PID 2316 wrote to memory of 1992	2316	Payload.exe	35
PID 2316 wrote to memory of 1992	2316	Payload.exe	35
PID 1992 wrote to memory of 704	1992	ASIO Plugin.exe	37
PID 1992 wrote to memory of 704	1992	ASIO Plugin.exe	37
PID 1992 wrote to memory of 704	1992	ASIO Plugin.exe	37
PID 1992 wrote to memory of 704	1992	ASIO Plugin.exe	37
PID 1992 wrote to memory of 2636	1992	ASIO Plugin.exe	39
PID 1992 wrote to memory of 2636	1992	ASIO Plugin.exe	39
PID 1992 wrote to memory of 2636	1992	ASIO Plugin.exe	39
PID 1992 wrote to memory of 2636	1992	ASIO Plugin.exe	39
PID 2636 wrote to memory of 2276	2636	cmd.exe	41
PID 2636 wrote to memory of 2276	2636	cmd.exe	41
PID 2636 wrote to memory of 2276	2636	cmd.exe	41
PID 2636 wrote to memory of 2276	2636	cmd.exe	41
PID 1992 wrote to memory of 288	1992	ASIO Plugin.exe	42
PID 1992 wrote to memory of 288	1992	ASIO Plugin.exe	42
PID 1992 wrote to memory of 288	1992	ASIO Plugin.exe	42
PID 1992 wrote to memory of 288	1992	ASIO Plugin.exe	42
PID 288 wrote to memory of 2376	288	cmd.exe	44
PID 288 wrote to memory of 2376	288	cmd.exe	44
PID 288 wrote to memory of 2376	288	cmd.exe	44
PID 288 wrote to memory of 2376	288	cmd.exe	44
PID 1992 wrote to memory of 688	1992	ASIO Plugin.exe	45
PID 1992 wrote to memory of 688	1992	ASIO Plugin.exe	45
PID 1992 wrote to memory of 688	1992	ASIO Plugin.exe	45
PID 1992 wrote to memory of 688	1992	ASIO Plugin.exe	45
PID 688 wrote to memory of 1744	688	cmd.exe	47
PID 688 wrote to memory of 1744	688	cmd.exe	47
PID 688 wrote to memory of 1744	688	cmd.exe	47
PID 688 wrote to memory of 1744	688	cmd.exe	47
PID 1992 wrote to memory of 1760	1992	ASIO Plugin.exe	48
PID 1992 wrote to memory of 1760	1992	ASIO Plugin.exe	48
PID 1992 wrote to memory of 1760	1992	ASIO Plugin.exe	48
PID 1992 wrote to memory of 1760	1992	ASIO Plugin.exe	48
PID 1760 wrote to memory of 1712	1760	cmd.exe	50
PID 1760 wrote to memory of 1712	1760	cmd.exe	50
PID 1760 wrote to memory of 1712	1760	cmd.exe	50
PID 1760 wrote to memory of 1712	1760	cmd.exe	50
PID 1992 wrote to memory of 1656	1992	ASIO Plugin.exe	51
PID 1992 wrote to memory of 1656	1992	ASIO Plugin.exe	51
PID 1992 wrote to memory of 1656	1992	ASIO Plugin.exe	51
PID 1992 wrote to memory of 1656	1992	ASIO Plugin.exe	51
PID 1992 wrote to memory of 1328	1992	ASIO Plugin.exe	53
PID 1992 wrote to memory of 1328	1992	ASIO Plugin.exe	53
PID 1992 wrote to memory of 1328	1992	ASIO Plugin.exe	53
PID 1992 wrote to memory of 1328	1992	ASIO Plugin.exe	53

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe
"C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe
  "C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe
    "C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3008
- C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe
  "C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Roaming\Payload.sfx.exe
    "C:\Users\Admin\AppData\Roaming\Payload.sfx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Roaming\Payload.exe
      "C:\Users\Admin\AppData\Roaming\Payload.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe
        
        "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:704
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c sc query windefend
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\sc.exe
        
        sc query windefend
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2376
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c sc stop windefend
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop windefend
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c sc delete windefend
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete windefend
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn CleanSweepCheck /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe"
        6⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn CleanSweepCheck /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 0 -n 2
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb9c9758,0x7fefb9c9768,0x7fefb9c9778
  2⤵
  PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c69758,0x7fef7c69768,0x7fef7c69778
  2⤵
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
cc228ff8d86b608e73026b1e9960b2f8

SHA1
cef0705aee1e8702589524879a49e859505d6fe0

SHA256
4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

SHA512
17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
e368a236f5676a3da44e76870cd691c9

SHA1
e4f1d2c6f714a47f0dc29021855c632ef98b0a74

SHA256
93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

SHA512
f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
21KB

MD5
0c1cc0a54d4b38885e1b250b40a34a84

SHA1
24400f712bbe1dd260ed407d1eb24c35dcb2ecac

SHA256
a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

SHA512
71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
5241df2e95e31e73ccfd6357ad309df0

SHA1
2644cc5e86dfad1ad2140181ab2ca79725f95411

SHA256
6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

SHA512
52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
385f562bdc391ccd4f81aca3719f3236

SHA1
f6633e1dac227ba3cd14d004748ef0c1c4135e67

SHA256
4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

SHA512
b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
21KB

MD5
fc9fc5f308ffc2d2d71814df8e2ae107

SHA1
24d7477f2a7dc2610eb701ed683108cd57eca966

SHA256
2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

SHA512
490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
43d8d2fb8801c5bd90d9482ddf3ea356

SHA1
d582b55cd58531e726141c63ba9910ff185d72e0

SHA256
33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

SHA512
0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25282\ucrtbase.dll

Filesize
1.3MB

MD5
286b308df8012a5dfc4276fb16dd9ccc

SHA1
8ae9df813b281c2bd7a81de1e4e9cef8934a9120

SHA256
2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

SHA512
24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
54KB

MD5
68e6ef21250dd5d0bce5dfbd201da418

SHA1
8f5ac5472ef190644b551982c221aecfdeb13e24

SHA256
914ba72a2c19e2c962e6a210810a8d991c16603e84d29b8fe3e1efc41586715b

SHA512
08b6a7ea071a7f8354b3d255ab16d8748915ec5d350dea6a9ea414aa00445720984c8c4a293ddab623cbd193b0b0ec89494182f9c07032d849ef0ec2f8a2196f

Download Submit
C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe

Filesize
668KB

MD5
f201d301882f32db22068608558a4bab

SHA1
93e1399172ce45361e4fa053fb6547261f465c34

SHA256
9812c226b300a5ee0e516214bca4e972af80249844d7212d34a532674a6d2039

SHA512
db79f67fafc9a5fd7c68a9767b4964aa214168a347bd8692976ac4e6b85a18a17133827dd3f10438a1760121c9c3dc430343c416ee9a8a6c36d381ed0fa3fef0

Download Submit
\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe

Filesize
22.6MB

MD5
d3b70fa0711ad4e8e8a43e8a4ba6cdfb

SHA1
64b2e064abcee7b04caccd315a2d2994ba4df125

SHA256
da298b13fc28e0a326de0138130584201e0b6dd4859e74615781e48c099010a8

SHA512
4a564a51fe2d44645df6651804581c429b560f111190a585ce6508572ecba72b21ecf47e5763ec65500453cd2498519e9c55ec96a94b8c560b81520398346aff

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-fibers-l1-1-1.dll

Filesize
21KB

MD5
050a30a687e7a2fa6f086a0db89aa131

SHA1
1484322caaf0d71cbb873a2b87bdd8d456da1a3b

SHA256
fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

SHA512
07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

Download Submit
\Users\Admin\AppData\Roaming\Payload.sfx.exe

Filesize
460KB

MD5
fc66d6dda75572e180f725e173594e7e

SHA1
0bd79afc46ad1c911749ddf1222f3d3335281323

SHA256
096ab73539ab3a204fc9d867a06ef3e076e880dd51c612d9eeee3b15bc81111f

SHA512
3d4d1100f4ccde9debe08775623c5f70c561e03751fd66389c96c61cdbe7b153a5addd53a04a4b602a0999de4ae74b2127b4be17e4b28ceb54534977e9a28d2a

Download Submit
\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe

Filesize
10.8MB

MD5
0ebcd0bb555e8ab1672a1ffb2793151f

SHA1
bc1b85846c5d67b6b3fe1d8b7a4d94238378a673

SHA256
5f7507a45a6380116220fa730f521df31b7497591ca2d1167ca0f507c8c4d634

SHA512
8bd4b0c68966c2127c4f25045faeddb44ba6558c67af5ba459529110ee7ed427f148bac27f04d4d4567d533ed0ecd315b208fb1845451d11ced3d1e6804958ea

Download Submit
memory/2264-2024-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2264-2025-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2264-2028-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download