Analysis
-
max time kernel
274s -
max time network
275s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
01-02-2025 09:20
General
-
Target
Synaptics.exe
-
Size
764KB
-
MD5
85e3d4ac5a6ef32fb93764c090ef32b7
-
SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
-
SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
-
SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
SSDEEP
12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
xworm
127.0.0.1:48990
147.185.221.22:48990
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Extracted
xworm
5.0
127.0.0.1:8080
WlO6Om8yfxIARVE4
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/7G6zzQwJ
Extracted
quasar
1.4.1
Office04
0.tcp.in.ngrok.io:14296
cc827307-beb6-456e-b5dd-e28a204ebd45
-
encryption_key
93486CAE624EBAD6626412E4A7DC6221B139DAA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Detect Xworm Payload 5 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file 8 IoCs
-
Modifies Windows Firewall 2 TTPs 6 IoCs
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 12 IoCs
-
Executes dropped EXE 20 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"2⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\msedge..exe"C:\Users\Admin\AppData\Local\Temp\Files\msedge..exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\msedge..exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge..exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\T.exe"C:\Users\Admin\AppData\Local\Temp\Files\T.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\2.exe"C:\Users\Admin\AppData\Local\Temp\Files\2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 4004⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe"C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\OLDxTEAM.exe"C:\Users\Admin\AppData\Local\Temp\Files\OLDxTEAM.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 7924⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client-base.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client-base.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe"C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4472 -ip 44721⤵
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1104 -ip 11041⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1928 -prefsLen 27197 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba83b376-6306-455f-bac8-2689e499ff51} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 27075 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a8ee7f5-5ac7-41be-94d9-839f098a08c1} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1528 -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 1372 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9368064-7aee-4bca-93fe-b1ea14e68e61} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3920 -childID 2 -isForBrowser -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 32449 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74bdbb2b-0bdf-4daa-a22a-a67516c6a2e3} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 32449 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f401c0e-2991-4b2e-aa84-5b94be35ce54} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5456 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0058cb5-6fa1-48b0-9f7f-5834b65742d1} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17027df3-4a5f-4464-abea-64e0eff46fa0} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5792 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {712022a7-8ecf-4c40-80f1-184a1b12c140} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753KB
MD580421089b46d27ad31bba48f8946af3f
SHA171f6418b3ad4310c579f0f50beeff472964d349a
SHA25611f931102f640ea8406d95c2eebeadd1462fd205bc651dac57ac1bcac922e8f5
SHA512d088ff505dc0d6e1f97e466b7e6459d5b8bfcf3ac7676f60851f2af935009a5b4297598725f799bb8d5900e876879d505a78898a7f6a14babe271b8cd134622e
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
408B
MD511c924dd7e95b6c1243d3dc6a6cda57d
SHA1dc5becbb4ba7c94037c13de7163b541f4dfe0b7b
SHA25618ebe71e164d362b1c0464dda0cb3269b2940c40abd588bde37d92c81263ba52
SHA512dd021f43ce21d1fb35119fa9303b09281365ca676b6e944de844b397dd407cee9b17b740220bb09d024ffb6e1acf45d4c41ea4101e6cb011f7a1fa9cbf8e2432
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
1KB
MD526c94c408a5a2e1e04f1191fc2902d3e
SHA1ce50b153be03511bd62a477abf71a7e9f94e68a5
SHA25686ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec
SHA51270e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586
-
Filesize
1KB
MD5cf7fe2d673e1ed05b3fd488f3c422475
SHA1cce033f74b0f2eff380d4f592b80387b4e2033a1
SHA256c52033a95ee76c4cb79540a58e19edc363af2e88b7cee7ae0eef2c8abfe1b46e
SHA51205fa1d1d2b7157b6aff0cef4e63dd05e704f78f6a22f052370c9c37d437d89410545c8ff1a2c2613d3105df881bb1b4ed5286d14263fb13ed79d4c57dec9990d
-
Filesize
1KB
MD55b6f7dfa5ec0387fa9726d85120371b7
SHA1e3d5d917716b722f8639eeab70958e8f4140e955
SHA2567375bbd067e473decffbff9e7f3b440e853d2a1d316192d7178eec1ccb993629
SHA512f2a099fc8f3e937c358c698144faa4b395a72fdea49eca4110574297e9a02737c37a6d28451f56a3f2e470d21aa60108e47cb899041a718fb507a6495eca9a32
-
Filesize
1KB
MD59425291121142e2ae39ad8f778c27431
SHA1499170206ec2d556ca802fa853d06b6520b80af5
SHA25639b7538acb9563e639ff982fc4291d27589e5f70e42736fef9aeddbc9de1f0d8
SHA51252984ba607b3cb9d4e176fb59a42429127a5bdce14f28fb267075232fe485560a5f9ce484b0596ca1613b4d043d47347bb5faf2dffc185236971b52a89400992
-
Filesize
22KB
MD59b7ed6366eec62771a74717b5164ba67
SHA1080cb0da6cb175ed6f63ebd05409419ee9cf5fea
SHA256a57b39387e10da820043ac4df9fb487baa2aa25c14eb9e350d8adbc214292eda
SHA512858097eb9cd632cdb14f55d33d2ca5fc671f3e1b455a5d86e16d67d068c3f5494372909862cc77f6133845757c38199128c458d3e63e756d2bbf3d79480e7742
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
24KB
MD5ee8c8edd2fe77345049b6ac65b976a24
SHA11274de0e3866460c9547534e81bd63be16176498
SHA2563b9dc165c44c5fbd076f31b118918f3abb157c20b70798b1b8b53c2d9b48e3d1
SHA512636d4feb74e267fab47bb78e88ad8d4f513043bd871bd25611fdc56291592eddd537482465386a714b41559a0bda37b0f62875cda0f4215532138aa314a584d2
-
Filesize
244KB
MD52c718dd514e1cac52c0f19e465fbd25f
SHA1a2684f671fab0aa8371f2537ddd5ce7232e12e7e
SHA256cb00cca58209e8c0e66caa7cfdaf05e6c82b2ffb798699e54335deebc1120c4e
SHA512d760880d5e05e96833e121d560acf2044145857aa29a4c1fb84fe221ae21a31e059f654b5ec873392ee6dc246f543ea9335fe3adae0c51d279e1df89b5fdad43
-
Filesize
1.2MB
MD5712ad2871de1468749729ac94f8d9587
SHA148d1490f398d568ff123d31530238ee78c56e8e4
SHA2564883280412e4f66f70ab0c3ab56e4c57872e2957679ec05c2f6a2a97ecaf8884
SHA5121735a1e50a854050083ef03daed3c175268135a9625cde7f6ef98b85f1aae2968f495dd63148ef0a97aae5c924773af69bb86baffc5d267ac10e9144d31bfa61
-
Filesize
3.1MB
MD521ce4cd2ce246c86222b57b93cdc92bd
SHA19dc24ad846b2d9db64e5bbea1977e23bb185d224
SHA256273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678
SHA512ff43fe890e30d6766f51922cfd1e9c36d312fd305620954fae8c61829f58d7361ae442bf9145339904eb6a88c2629c1e83f5b8a1d78ab0d13554cf6053d194f6
-
Filesize
27KB
MD597d80681daef809909ac1b1e3b9898ba
SHA1f0ecc4ef701ea6ff61290f6fd4407049cd904e60
SHA256345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011
SHA512f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da
-
Filesize
290KB
MD551edcaec1968b2115cd3360f1536c3de
SHA12858bed0a5dafd25c97608b5d415c4cb94dc41c9
SHA2562be4cdb599fbe73e1d3177599cded9c343fbd32653d0862ca52d09a416fa971d
SHA512f5246ec7ddf5ede76bcdc1cf6ac3c5c77e04e04d97d821b115ca48a4098906f135bd8c42d3d537585a4825a323b342ed067f8ea0b1d87ac6dbfb9931e22b7fa6
-
Filesize
93KB
MD5443a6c714860e407b7d0feff5719bfce
SHA14d5b0f8145e60fe054982ca89ca9ed0bc894c056
SHA256512730abdc9da188cecc53d513bfdb373d11b3266f14d946895036a7b1b0b19c
SHA5121190515caa4a5d781dfbc834237da37ae95cef0b1af57d3f36c82f7f772cce5b9a4b55733aa4f2dc6c96bbbfb0b1b960e6deaf8eb3800112071d3f294f88553d
-
Filesize
28KB
MD578fc1101948b2fd65e52e09f037bac45
SHA1ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44
SHA256d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2
SHA512e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4
-
Filesize
368KB
MD5c58be1efc93ee2934fdd179170da4401
SHA158c804973f3eaa914477285201374edd00d621b8
SHA256d76e77dfa51f2ca6ac15daf0801d281fef6957704c85bc0726b99b3eb4feb470
SHA512730cf99788432220e8d63a06fac1ace64ecfeac1ec7c74c9557014d882f40ab1cb283cdf7ae765cc406c0e2ac6cf4821a33a461c2ea53ec4f95ecb747563a7c5
-
Filesize
2.6MB
MD5c7cbc8281ef904ed9e223774bcc8a829
SHA152d8ea2ae34730e309a375295da14be186d66788
SHA25684db57ee6a5e16b875e27f18cd2faeabb5c6f7e16dfa48a24868e8f3c30fab94
SHA5120feaeb1cb2573661eaabeb0d539d4e04630b83e423cf16a6d09af8d576f355fc4e9e3214020af6b2a8dc3d558057fe1bb34130f4dc5deb94016f36706c04bfb4
-
Filesize
33KB
MD55e667ea0d9c2c150967220e306fb148c
SHA1772d22ffda2f5ae055cc39f5f3b7f2ce41c9c7c5
SHA256ec0cef1c54254ab00469ec1d4884765e886f23ebeae6d7d84929e27a47492a00
SHA512f575199a3ba2667b3872d6a96da29fd68c7026deb12a837c24f2e419f041a4fed0ba01f531403f7191eb12dc69329c279029db31dd738b488ed271410254eebb
-
Filesize
66KB
MD57f7a3dc4765e86e7f2c06e42fa8cd1aa
SHA17e53565f05406060ad0767fee6c25d88169eeb83
SHA256b80255cba447ef8bab084763b3836776c42158673e386159df71862bf583c126
SHA512e9fa71e004c76d01ad125103c0675d677a6e05b1c3df4ba5c78bd9bc5454a6bd22cdd7ab5de26d77cdeb4a3865aec1db7fc080bca7e16deb7bf61c31300c6671
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
776B
MD561db8993935fe85cdb44cca3cf6374ac
SHA1ada7a09440077014c4c28d6cd991ff31f99f6c9d
SHA256bcd0c3be87b17f555811e16489dbc5e9147e84dd66381713adb758f8d1b68c40
SHA51231aa404ca2151169327054d6cf739a21a535b78beefeb22aae30bd5dd5dc6f9c005165ed0422106988d8af3790181ac3a1a95af272f1ba9c52403a135427a4f3
-
Filesize
6KB
MD5a32392dcf3ce5046b57dd43a3f70a927
SHA1c7cd6d12836bea8a9003875375e765d098f2d0b3
SHA256da99089117e0c683bb93732cbf95fbff915b17979ef9287d9ce1ade23d401c19
SHA512eda80e96a0955a4b61d35e1eac7648e5652eb7a33d8d4748022b8ee6f2aa09c8e1b38aca7d1bd2e88794664cd15619884c407c44b3c1706e672f0e7da5254cae
-
Filesize
6KB
MD512eed0fd122641746d630ca0b49c40d3
SHA1c624b10659bb348cec9fba61cd8c6ff6334ce5a0
SHA25629cef605a3615a80f997ed0bb5fb4e581798263e95c6757c5a800cde7fb250dd
SHA5129d1381ff419f1a8818b265a93146d2a3e04ece7d7b00955c3d3df13176365ed31e761a916b3fb7ce84a7c370ad4a7c1211ab81948979313a77fe7b579f1a4879
-
Filesize
5KB
MD58cea84f32ae915558183c20957fd4a0c
SHA1f2388825854c0adeb5cba3472c9f2768f0b7d541
SHA2560582eaaeff820d253c2dea41b4195acaea9d9724c57d653f2d89309b290deb8a
SHA51260e2673bf36e9a74590a4a0650664d7c220e8c5dfb55194da186c3338635ceb1d55f933813eb67f24f4838e5213428ac75fddf2973dc4b05ddac15fa29c0db2e
-
Filesize
671B
MD5b759ef479b95bee6ee3bc2eb404829f5
SHA17ad17a683b3865af8fc0089c66e58c1a6b1adb8b
SHA256d6e7d058bd2d390f4ee0f904ebbcd60c56d0e0efff898b2f3375114b5f627926
SHA512e078e9ee0ef4cb287cde457ed8557209d19d3b00d78520098fb8607a5f17d5a93fd22bd6a2ca801b6336d29bce0e0b9ee5b3947d5b4d52358c5fa1af7897b37f
-
Filesize
982B
MD529e7c4897d71813afeaa9771f01d54f0
SHA1eb49ea654e40caa9dd47fdd259eb47125f07bb13
SHA256df04e913e0f35b647a18cedb98268ab464531f0778f26c1298feb626edef5274
SHA5124630b3039708da5d21a2402d8e4595aa8229c96f3f81fd2f2f2a4cf0fc689e113b02a44d8ef91d59c13481ff5d2509e03ad644cf7f4a370850503f6b62752ac3
-
Filesize
26KB
MD5230e6230bae338f1cbf1e3143e3fd503
SHA1ab18e640a67332332a59f4fd40e23da62ab6c302
SHA25652bfecb9294df6bd116e3cc5a0790b40991099abc32294375182f24f5174491d
SHA512f14fcb6ad051fe4aa0321799f365a8121fa31474392236f90ab0d9b0058b9c625f1c6ec3ce4a2db5242555b218d4297280566dcd6ccae24c1315b3dc59c3e145
-
Filesize
9KB
MD58fdd129da3485594bb2caedc1518cb37
SHA179697712fe5c72728d0ac1d8582abfb0edc9f667
SHA2560e4e2d6833425d601b7cd499adf94be7d47214231319a492172519cd5fc054b9
SHA512542176a35284e7d1c02a3676946688fa8027d4e49e712ce8d9e81576416eed99d1aa1741ac5cdea95578ae096605a25f8acfba2874db8e9a4c999642ed38b06d
-
Filesize
9KB
MD5ae79b02142d5bde717d0b4df1438813b
SHA104b600f4a6a21539deebfdee27a94519542556d1
SHA2560979d2c0fd11e1f4c1c7fe998bb8dade248121b8765f93172e315df63ee141a1
SHA51273026927204f047862045eb2cf5e147910387bf9a4b82ba6892a7cf53fd3bb8638735938a94137ffc02dc7d5e0847bc259cab6abcd24ed1f4a060462b73f5fe0
-
Filesize
1KB
MD59379e994b6fa2112d08dfc6fd718e319
SHA129a2ca4d7a6b816ed0414c9d6e17e7b5ae2fd97d
SHA2569469287b3eb212adb6dbd969fb2f3a528d4e5854abbcc868716e9f585e066ff2
SHA5126ecee387d2635e0e04e51cb82c4a026b0eec80b98704a1e7f617cb9c13a70dcbd42473c3e5537ed43d940632350e23a859fd68d48b610344d0ea2a63f9dccbdc
-
Filesize
4B
MD54d853d9c7197ee7fa81c6535b1f7d655
SHA1eac3d866e991967b385f3dd22da25e410d8f7f49
SHA2565abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96
SHA512dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
776KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
788KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.8MB
-
Filesize
5.2MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
3.1MB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
160KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.6MB