njrat | 6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2025, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Everythin.exe
Size

29.5MB
MD5

d83d5ff23292103a65b43fbd42b7f243
SHA1

b27e29d090712a2cf50d17a17fb1a8f78fba8aec
SHA256

6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9
SHA512

7dc52a8d2eb202603f27cf9addd9c4cc08de289d041b0e4960917354251dae407c9485b864c0d81bad623eda45fa23078205d6e30ac4909c15be3e5961ed35da
SSDEEP

786432:a97LDzYHKsqAK/DxlMwVbrxpstnsnxzxP3LLv:o7LfgOh/TMQ3OnMxtPv

Score

10^/10

njrat stealer windows discovery persistence pyinstaller trojan upx

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Windows

127.0.0.1:10454

Mutex

windows.exe

Attributes

reg_key
windows.exe
splitter
|Ghost|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

stealer

environmental-seeds.gl.at.ply.gg:35534

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 2 IoCs

flow	pid	Process
16	4984	Process not Found
55	3584	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\Control Panel\International\Geo\Nation	Everythin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\Control Panel\International\Geo\Nation	Everythingnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\Control Panel\International\Geo\Nation	Everything.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	winsystem.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe	windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	winsystem.exe

Executes dropped EXE 7 IoCs

pid	Process
1880	main.exe
2268	Everything.exe
4104	Everythingnew.exe
1720	main.exe
3724	Build.exe
4564	winsystem.exe
4344	windows.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	main.exe
1720	main.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .."	winsystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .."	winsystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "\"C:\\ProgramData\\windows.exe\" .."	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows.exe = "\"C:\\ProgramData\\windows.exe\" .."	windows.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023d4d-42.dat	upx
behavioral2/memory/1720-46-0x00007FFC229E0000-0x00007FFC23045000-memory.dmp	upx
behavioral2/files/0x0008000000023d4a-59.dat	upx
behavioral2/files/0x0008000000023d47-58.dat	upx
behavioral2/files/0x000e000000023d45-57.dat	upx
behavioral2/files/0x0009000000023d41-56.dat	upx
behavioral2/files/0x0009000000023d40-55.dat	upx
behavioral2/files/0x0008000000023d7d-54.dat	upx
behavioral2/files/0x0008000000023d7c-53.dat	upx
behavioral2/files/0x0008000000023d4c-52.dat	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000b000000023d1f-8.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everything.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everythingnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1072	MicrosoftEdgeUpdate.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
2200	TASKKILL.exe
4600	TASKKILL.exe
1712	TASKKILL.exe
1568	TASKKILL.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3444	schtasks.exe
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe
2268	Everything.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4104	Everythingnew.exe
4564	winsystem.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	Everything.exe
Token: SeDebugPrivilege	2200	TASKKILL.exe
Token: SeDebugPrivilege	4600	TASKKILL.exe
Token: SeDebugPrivilege	4344	windows.exe
Token: SeDebugPrivilege	1712	TASKKILL.exe
Token: SeDebugPrivilege	1568	TASKKILL.exe
Token: SeDebugPrivilege	4564	winsystem.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe
Token: SeIncBasePriorityPrivilege	4564	winsystem.exe
Token: 33	4344	windows.exe
Token: SeIncBasePriorityPrivilege	4344	windows.exe
Token: 33	4564	winsystem.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 1880	4292	Everythin.exe	91
PID 4292 wrote to memory of 1880	4292	Everythin.exe	91
PID 4292 wrote to memory of 2268	4292	Everythin.exe	94
PID 4292 wrote to memory of 2268	4292	Everythin.exe	94
PID 4292 wrote to memory of 2268	4292	Everythin.exe	94
PID 4292 wrote to memory of 4104	4292	Everythin.exe	95
PID 4292 wrote to memory of 4104	4292	Everythin.exe	95
PID 4292 wrote to memory of 4104	4292	Everythin.exe	95
PID 1880 wrote to memory of 1720	1880	main.exe	96
PID 1880 wrote to memory of 1720	1880	main.exe	96
PID 1720 wrote to memory of 1408	1720	main.exe	97
PID 1720 wrote to memory of 1408	1720	main.exe	97
PID 2268 wrote to memory of 4600	2268	Everything.exe	99
PID 2268 wrote to memory of 4600	2268	Everything.exe	99
PID 2268 wrote to memory of 4600	2268	Everything.exe	99
PID 2268 wrote to memory of 2200	2268	Everything.exe	100
PID 2268 wrote to memory of 2200	2268	Everything.exe	100
PID 2268 wrote to memory of 2200	2268	Everything.exe	100
PID 2268 wrote to memory of 3444	2268	Everything.exe	107
PID 2268 wrote to memory of 3444	2268	Everything.exe	107
PID 2268 wrote to memory of 3444	2268	Everything.exe	107
PID 4104 wrote to memory of 4564	4104	Everythingnew.exe	109
PID 4104 wrote to memory of 4564	4104	Everythingnew.exe	109
PID 4104 wrote to memory of 4564	4104	Everythingnew.exe	109
PID 2268 wrote to memory of 4344	2268	Everything.exe	111
PID 2268 wrote to memory of 4344	2268	Everything.exe	111
PID 2268 wrote to memory of 4344	2268	Everything.exe	111
PID 2268 wrote to memory of 2776	2268	Everything.exe	112
PID 2268 wrote to memory of 2776	2268	Everything.exe	112
PID 2268 wrote to memory of 2776	2268	Everything.exe	112
PID 4344 wrote to memory of 1568	4344	windows.exe	114
PID 4344 wrote to memory of 1568	4344	windows.exe	114
PID 4344 wrote to memory of 1568	4344	windows.exe	114
PID 4344 wrote to memory of 1712	4344	windows.exe	115
PID 4344 wrote to memory of 1712	4344	windows.exe	115
PID 4344 wrote to memory of 1712	4344	windows.exe	115
PID 2776 wrote to memory of 4428	2776	cmd.exe	118
PID 2776 wrote to memory of 4428	2776	cmd.exe	118
PID 2776 wrote to memory of 4428	2776	cmd.exe	118
PID 4344 wrote to memory of 1832	4344	windows.exe	119
PID 4344 wrote to memory of 1832	4344	windows.exe	119
PID 4344 wrote to memory of 1832	4344	windows.exe	119

C:\Users\Admin\AppData\Local\Temp\Everythin.exe
"C:\Users\Admin\AppData\Local\Temp\Everythin.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI18802\Build.exe -pbeznogym
      4⤵
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\_MEI18802\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI18802\Build.exe -pbeznogym
        5⤵
        Executes dropped EXE
        
        PID:3724
- C:\Users\Admin\AppData\Local\Temp\Everything.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc onstart /mo 1 /tn nyan /tr C:\ProgramData\windows.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3444
- - C:\ProgramData\windows.exe
    "C:\ProgramData\windows.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc onstart /mo 1 /tn nyan /tr C:\ProgramData\windows.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\Everything.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4428
- C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe
  "C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Roaming\winsystem.exe
    "C:\Users\Admin\AppData\Roaming\winsystem.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4564

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0I5NTBBNjYtMDk3QS00RDRELTk2QUEtNTAxMzFFRjc4MUVCfSIgdXNlcmlkPSJ7REVDOEQyMjMtOTMwRS00QzY5LUI4MkUtODZFQzcwNjAwMjA4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODdGMkI3NjgtMzA3QS00MjNELUE5NzYtMTgyMTlBMUIyOEVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzQ0MjMxNzczIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Everything.exe

Filesize
106KB

MD5
060317250cfe7e96901acc7c27a84bc7

SHA1
0e85789e56309e5832dc7d2be081bd4193373ee7

SHA256
d55ef4b76f8250026b20d9c61eb191f9078ff75b846f0d26b29b01c02cd24d35

SHA512
7bbba13add3f69f5a18db2cb9df91725be607bc019c507a2e8feb4e6b45375261dae761682bcb481e5b2cb8e5a245e67c77318c1ff2654df6b7d82dc0532d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe

Filesize
43KB

MD5
e6c670a90c4eb92933de49b9b28d19bc

SHA1
e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0

SHA256
f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009

SHA512
552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\Build.exe

Filesize
23.5MB

MD5
0fd61849e94c85490b775057a83af5dc

SHA1
9c5382a8279db6fc48f6ee2fd533aff321e2da34

SHA256
59e76d8fd7bd881c993531d7d7d0500092c329517646522795ffbe23c40323c6

SHA512
17573a3cf0191f997eda78df15d5b8b81922c8b4e82a75d23846fb23b2a761749a834d02ba344e096c61fe5c94f8f885757ddf8a12e8a4ce986c0a5847d033e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
29.2MB

MD5
c7605aa6808be099dcd48d800545fa6b

SHA1
390b339baa457cbea092497c1d78b998837aef3a

SHA256
c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52

SHA512
a508264c5c051a2e2df8d311a334c3c43bd1355ab40f9079a9433d28e8bbfc1be628dfc1cfc35efe0f1ef749dcd9bb2e1934466e7af1b36725636c6bfbf9a880

Download Submit
memory/1720-46-0x00007FFC229E0000-0x00007FFC23045000-memory.dmp

Filesize
6.4MB

Download
memory/2268-45-0x0000000073AE0000-0x0000000074290000-memory.dmp

Filesize
7.7MB

Download
memory/2268-49-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/2268-48-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/2268-77-0x0000000073AE0000-0x0000000074290000-memory.dmp

Filesize
7.7MB

Download
memory/2268-87-0x0000000073AE0000-0x0000000074290000-memory.dmp

Filesize
7.7MB

Download
memory/4104-60-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/4104-61-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/4104-47-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/4104-40-0x0000000073AEE000-0x0000000073AEF000-memory.dmp

Filesize
4KB

Download
memory/4564-89-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download