Analysis
-
max time kernel
68s -
max time network
75s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/03/2025, 19:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer.exe
Resource
win11-20250314-en
General
-
Target
https://github.com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer.exe
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
Diamondfox family
-
resource yara_rule behavioral1/files/0x001900000002b45a-40.dat diamondfox behavioral1/memory/5736-87-0x0000000000300000-0x0000000000DF2000-memory.dmp diamondfox -
Downloads MZ/PE file 1 IoCs
flow pid Process 5 6068 chrome.exe -
Executes dropped EXE 2 IoCs
pid Process 5736 SEO Backlink Panzer.exe 2168 SEO Backlink Panzer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\SEO Backlink Panzer.exe:Zone.Identifier chrome.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4920 5736 WerFault.exe 90 1880 2168 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SEO Backlink Panzer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SEO Backlink Panzer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868855354389500" chrome.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\SEO Backlink Panzer.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe Token: SeShutdownPrivilege 3768 chrome.exe Token: SeCreatePagefilePrivilege 3768 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe 3768 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3768 wrote to memory of 2744 3768 chrome.exe 78 PID 3768 wrote to memory of 2744 3768 chrome.exe 78 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 6068 3768 chrome.exe 80 PID 3768 wrote to memory of 6068 3768 chrome.exe 80 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 828 3768 chrome.exe 79 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81 PID 3768 wrote to memory of 5868 3768 chrome.exe 81
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer.exe1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff29bcdcf8,0x7fff29bcdd04,0x7fff29bcdd102⤵PID:2744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2072,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2156 /prefetch:112⤵
- Downloads MZ/PE file
PID:6068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2428 /prefetch:132⤵PID:5868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:1016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:6088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4160,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4172 /prefetch:92⤵PID:2988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:142⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5732,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1876
-
-
C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 11003⤵
- Program crash
PID:4920
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5904 /prefetch:142⤵PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:142⤵PID:784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5968 /prefetch:142⤵PID:2716
-
-
C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 10723⤵
- Program crash
PID:1880
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5736 -ip 57361⤵PID:5808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2168 -ip 21681⤵PID:5944
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414B
MD53dbc124da47d745f90c8448163ac9cb1
SHA17fc1ca92096f858487d38f9ef3a31d9db893b3d8
SHA25622239f729b670de7470125d743f8b74e83c2c33db4f69603f14f3ec4b6d1084a
SHA51278d3fafe6f873bc03e2a7adcb6c983f1aac167e0104df411b4db5e903642dae33c437076e37417ce3785315ad4fc050ff3940bf7eb9326fe81c48fffdedb5294
-
Filesize
2KB
MD5851f381a7a147a34542a5257170250a0
SHA1105653eab32bb80e31cdd5f5bde84e8ad522dfe7
SHA25641c2ed03b26e910d909fc173f944f6c65e37a28f0725627679d7dfed8cbee6e9
SHA5127dfee3501df7d43cee56223ce5bce778331dd3bdbb04a74f618cf64d45aff94233ea397212a7b321bbd81e9a1c321811d376e96dfb7707b8314db86104e45b16
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD51a077e41bf231985c5478bbbe9a38685
SHA1dd711f894bc1d2541fcb3a8c347ebb85f2882ae3
SHA2567ef25d798ef222c7f00a886759d91571c636b7e608587b48ad35c8f7c3004511
SHA51203d0c1c2751dda1eaa37b4bb083027453bf426c4536da8fe43104ad3397c997ad097bf3399ad8a051c9a033f785da8236a47bffd5f4510d8b5131ac356a258ed
-
Filesize
10KB
MD5cbd968b52063db4df1c6050cd637db3e
SHA10e232406252aac55d8e7456429c605964c422343
SHA256dd1bd96dcc3aee8838f5ade07f7f7aeda86136c2d7490b6de6d706a5041775f0
SHA512b492e66bf0170aa1a8c3ea6d9e2b6372f8d85fffb1843144cbb322c690f6d9ee04237c6a8530fcece7323f90e5316978a72282d3bd15448897566ac5a2c0a0fb
-
Filesize
15KB
MD5049123b782022622224f318056842354
SHA1a412982afd05cb84eab8db678cfdafe912d6099b
SHA2566983dd15e495c101dc6b77019a96ea40d9f47a24d606de2d893f9708c41202ef
SHA5122c45eac0e382ef0a6fdfd423e6efb67400ec945fcd8a8d3c972bde8100bfccfd3fe594f69ba49ae1d84ee97a1fc29bad21bd52088bfef418551485d1548fca6d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD56e293669ee49df8dd6cdce4cd4ad9403
SHA134be441a0069b222d01d71b733487107753ee1e5
SHA256288fe61bd27f95953a109e189cd7b09b0940c7081e7f69c9ab9bbedfb704e5f7
SHA512548a252202c32474251e7bd38374aa78113e111da75fea55cb9d50c01fc9edc40d5fae4751cc1b9990e47f1a312f566cf94198860ba3a262fdda049035e2d81d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cf0a1.TMP
Filesize48B
MD5b1b6e6e62e1de22c0e0a706f16696c9b
SHA18f26ae6f05b19816c01ff9fcfad28dea0534f273
SHA25685728858f9e020a9f7a7774366776d2df82ad709d14cea36119a2f1c9885e26f
SHA5126148d94fa8a380d81d5f75c5c3fa2499784243581ffdaae8acc51d57df8086f4589c41275518ddf12736553c808abe738b6149bec7ae4cf57064e77e8dd0d136
-
Filesize
81KB
MD5e22797435d8ec689b69b6d82dc962926
SHA10df54d3575a73bc629940892c2deda53a30f7dca
SHA25613c5e2c073237ec9e23ef4e99353aa06a6971b298a5217e301d2a770fc261cce
SHA51248ff314877f1e48b8fe6b2ab42981d496105a48c4460c154310ad5bde0ea8555bb74657f796314a824d779f1508e2ae35ea287071bc39adcacdf88eefc4d2426
-
Filesize
80KB
MD5edc6ef8935cfdfe6a4fc7a81757c46d4
SHA1e9b2ad80b94363d5a62c72327169abe80a62831e
SHA2561910970052e36b3e91f6223443ce6cc63ff13c1cd329c7cb8786ff7efc763c8d
SHA5120e7ef2f6cbef29e33f2d95f45446de0fbafd64c1588dde76f7a4ebdf2c8e962cdd2eac51d9410cfb63c3e2d502049c0fea7d00db200c35e0f54df86fad9657e0
-
Filesize
81KB
MD57a7fa706e4c3a51ac913d89394df1629
SHA1c1484a0a3cfe9966708e72e35baeed205a37dd05
SHA2564f905b7cea7fc9f94f3a17df2d7b4e90f8bfa9a628e5c36a0abac9c75cbd8da3
SHA51293e60b4c18a4b914acfc247010de84d37b166a22216e69ae3434c6cd177f3bc67de4a97a25c613997b0128b5f2b87358e50c561c590666faaac43b5a033de214
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8cba12af-f277-466a-ad1b-5c2f46fe3ba9.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
10.9MB
MD5ed835a9838e911e8e31d1860f11869e7
SHA1413a09db0efd34c3cea48d41efbcde49f4d9dcae
SHA25676f3526d5deb882171cf15a4103c2c8e831ec12c59e6f00852b898f7a641d0d0
SHA512916756996232b75a6e4d292585021ba3f93e6f8609e34439f73796b3c4f50bc4369e518b97f5947a76d64532c8946e991aa45e2ef74b59c86973cee09cf7ce52