quasar | cbfc67591e1ca528c94d3d7c6caf2a7269930f7abc70d693e62f7db1ba342941

Analysis

max time kernel
71s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 08:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Proton.exe
Size

3.2MB
MD5

3dd1db5a4c2ab4202e32192fde58bf71
SHA1

4f39e84991e0a8c1553aa54ea2aaa4d1100b4442
SHA256

cbfc67591e1ca528c94d3d7c6caf2a7269930f7abc70d693e62f7db1ba342941
SHA512

4fdadab6d43b1cdc4e0946183cb612ce12cc555671c3f6b6c8d6aeb7235a379918aa18d3e52b374451eb24384b2441d33116c0df9bcbd13b7a3d133f0dc95f79
SSDEEP

49152:ivLI22SsaNYfdPBldt698dBcjH+y5Q1v+LokdlQTHHB72eh2NT:iv022SsaNYfdPBldt6+dBcjH+y5x

Score

10^/10

quasar proton spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Proton

212.154.101.132:3000

Mutex

1b3adac2-334a-4914-b42a-429f32ec011f

Attributes

encryption_key
8738101E98DC472C5F4C9FE5E109DEF1CA883172
install_name
ProtonStubBuilder.exe
log_directory
Logs
reconnect_delay
2
startup_key
Ethone Updater
subdirectory
Proton

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3736-133-0x0000000000560000-0x00000000008A0000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProtonStubBuilder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ProtonStubBuilder.exe

Executes dropped EXE 1 IoCs

Processes:

ProtonStubBuilder.exe

pid process

3016 ProtonStubBuilder.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1796 schtasks.exe
3672 schtasks.exe

pid	process
1796	schtasks.exe
3672	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ProtonStubBuilder.exe

pid process

3016 ProtonStubBuilder.exe
3016 ProtonStubBuilder.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Proton.exeProtonStubBuilder.exefirefox.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3736	Proton.exe
Token: SeDebugPrivilege	3016	ProtonStubBuilder.exe
Token: SeDebugPrivilege	1212	firefox.exe
Token: SeDebugPrivilege	1212	firefox.exe
Token: SeShutdownPrivilege	3272	shutdown.exe
Token: SeRemoteShutdownPrivilege	3272	shutdown.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

ProtonStubBuilder.exefirefox.exe

pid	process
3016	ProtonStubBuilder.exe
3016	ProtonStubBuilder.exe
3016	ProtonStubBuilder.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
3016	ProtonStubBuilder.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

ProtonStubBuilder.exefirefox.exe

pid	process
3016	ProtonStubBuilder.exe
3016	ProtonStubBuilder.exe
3016	ProtonStubBuilder.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
3016	ProtonStubBuilder.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ProtonStubBuilder.exefirefox.exeLogonUI.exe

pid process

3016 ProtonStubBuilder.exe
1212 firefox.exe
3468 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Proton.exeProtonStubBuilder.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3736 wrote to memory of 1796	3736	Proton.exe	schtasks.exe
PID 3736 wrote to memory of 1796	3736	Proton.exe	schtasks.exe
PID 3736 wrote to memory of 3016	3736	Proton.exe	ProtonStubBuilder.exe
PID 3736 wrote to memory of 3016	3736	Proton.exe	ProtonStubBuilder.exe
PID 3016 wrote to memory of 3672	3016	ProtonStubBuilder.exe	schtasks.exe
PID 3016 wrote to memory of 3672	3016	ProtonStubBuilder.exe	schtasks.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 2368 wrote to memory of 1212	2368	firefox.exe	firefox.exe
PID 1212 wrote to memory of 4912	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 4912	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe
PID 1212 wrote to memory of 3464	1212	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proton.exe
"C:\Users\Admin\AppData\Local\Temp\Proton.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Ethone Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1796

C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe
"C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Ethone Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.0.1457838661\1527040786" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f906b523-2479-4b3c-a795-cd47ed00a664} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 1900 17ec088f858 gpu
3⤵
PID:4912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.1.112843998\1741602024" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2256 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d19a0a83-9c82-4b70-9f0d-b508bfd2115c} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 2300 17eb2972b58 socket
3⤵
PID:3464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.2.435689101\1483885259" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 2896 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aadf824-f03b-4330-81e2-8ebf03dfd1b1} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 2708 17ec35de958 tab
3⤵
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.3.677283606\462530139" -childID 2 -isForBrowser -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20c4be66-78ac-4b0b-a18c-42bb5805153f} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 3352 17eb296a258 tab
3⤵
PID:4572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.4.1326235486\2023098723" -childID 3 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b516a33-4c1a-44d3-87ab-382e42ae1b81} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 4200 17eb295e858 tab
3⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.5.1778119366\584386841" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 4984 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc4f162-641e-4af8-81c6-ccf75f8d7fb2} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5028 17ec5ab5958 tab
3⤵
PID:3856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.7.1830571599\1759842839" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {875584b8-d090-482d-ae4d-74c240e60ea1} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5348 17ec5ab6558 tab
3⤵
PID:4956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1212.6.527604632\79834491" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcdfad43-a7c9-4fd8-85ef-ddc6caae9182} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" 5160 17ec5ab4d58 tab
3⤵
PID:1872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
139KB

MD5
07c0216496aa5445a5627ff350ee5606

SHA1
85e7ffcec3de5e5a74b38b4f29bcd661f8eea4ac

SHA256
831f350113a53d986029002fb1a738b23714e42836f50998296c4ba151d27f16

SHA512
a7fc6e8a43fe86576191d48511dba0d73aef135a0a328b657c932c275626a35d41dfc2a58d0bc6f9e8718bfece4f12b234858d6b42812bac3eb0e14486fae36d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
199923d7cd3290221049c6f57ef77e99

SHA1
b0dd844785369d579fb0a1518c6de1655fbaefa2

SHA256
7bcd475544d7bd8e32a387a995a1411face10af7393c8ef8a9711ac13dbc094e

SHA512
994040119a7d4a255b64b67feda8d6467cac614c0b8f1c1015bb5fdd0e2df8e3eccb56a48750a5a43c8233097b30dfe13bc6c7ff900d2b6f4735aa7e56c48338

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
cda43b7f26bcc98109973206f1be3d2c

SHA1
9801b145d7d4dada31fd94a717b0dc5165ffb779

SHA256
8c0ed6087cecadf3074ef22aa13d6911bc3a232c5c56d60723e6c2f283f988a9

SHA512
f34b3157334c6d6b3c6978fa06123a2159396d6776e5a99f49dadaef6cd68e0b607ae6800708dc0b2fdb5e6b16c537e230c3e9031a089defff08bd2ea3850dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
4500d834ec038fd35f171f91d33a2c86

SHA1
085f2591796dc637b3e410d0a1f146d8ab43144e

SHA256
6adbbb47eca360e205178b28870ca343ae5c7508b3c6d6cdcc7f7299f4cbb723

SHA512
21ed72c1229faa065b8311a745311c18e5ff5dc4f54787929551a9d4d60cdd727b1bbe89d710efa9363b838e2311e2a52c7cdff9df4c8fe3d33e53fd28f51436

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
3b8c04be561e4119e895a656c9b27588

SHA1
56910c200457d8c895eb6918c5d2d4221edf8c53

SHA256
2d19131aa2fe69159d67cb1d6f9c019e506ca9ac299e96cc346b69197aa63422

SHA512
264e6fe3733b725512b5c671cc3940e32f2480d50da78ecc82526835653eb875e3892fdba89cef95abd5498911928bee6e51600085b7256c770aeaf1819dde61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b9ed7b7fd6cb1e2d492e8e4520d1fc12

SHA1
4b9420d032c5d4551593a5d32bf587bdb4b02da3

SHA256
03f08e8231c8485b5faa810f69e1edca8569ec43e8b3bb98c163f624e62ac91c

SHA512
6a5cc85b0e8884cf0ebf23753f53f6bbf542faad0fa8f875ec4b5b0325e599d50765a0bb99dd4ea5b3b6726cf5c186d2a38ef8b0fe1aa20b1fd839ffc7420441

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore.jsonlz4
Filesize
854B

MD5
ebc06639a8d15f080c074a5060d0bf76

SHA1
6ee0b3258a9fcb82d606f9a47c017e32f51ae4e7

SHA256
053cf82844992c9d4c76d580b045d9ab2814ece3416fb48b8acd38e74ea90448

SHA512
b2d01d0d158a248229b1b35b3d68a69518893bae5bf6fb4d6a62ea8674c7e743f890ffe7e4b9a4e4bb196110feb90a85b9a65c7b7a0c6ffdff0d94e4c2538e68

Download Submit
C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe
Filesize
3.2MB

MD5
3dd1db5a4c2ab4202e32192fde58bf71

SHA1
4f39e84991e0a8c1553aa54ea2aaa4d1100b4442

SHA256
cbfc67591e1ca528c94d3d7c6caf2a7269930f7abc70d693e62f7db1ba342941

SHA512
4fdadab6d43b1cdc4e0946183cb612ce12cc555671c3f6b6c8d6aeb7235a379918aa18d3e52b374451eb24384b2441d33116c0df9bcbd13b7a3d133f0dc95f79

Download Submit
C:\Users\Admin\AppData\Roaming\Proton\ProtonStubBuilder.exe
Filesize
3.2MB

MD5
3dd1db5a4c2ab4202e32192fde58bf71

SHA1
4f39e84991e0a8c1553aa54ea2aaa4d1100b4442

SHA256
cbfc67591e1ca528c94d3d7c6caf2a7269930f7abc70d693e62f7db1ba342941

SHA512
4fdadab6d43b1cdc4e0946183cb612ce12cc555671c3f6b6c8d6aeb7235a379918aa18d3e52b374451eb24384b2441d33116c0df9bcbd13b7a3d133f0dc95f79

Download Submit
memory/3016-140-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-544-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-144-0x000000001AFF0000-0x000000001B02C000-memory.dmp

Filesize
240KB

Download
memory/3016-143-0x000000001AF50000-0x000000001AF62000-memory.dmp

Filesize
72KB

Download
memory/3016-142-0x000000001B900000-0x000000001B9B2000-memory.dmp

Filesize
712KB

Download
memory/3016-542-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-543-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-145-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-141-0x000000001AF00000-0x000000001AF50000-memory.dmp

Filesize
320KB

Download
memory/3016-711-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-712-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3016-713-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3736-133-0x0000000000560000-0x00000000008A0000-memory.dmp

Filesize
3.2MB

Download
memory/3736-134-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads