quasar | e20f97d57623732bc8c216d8fb182f37b09934728ffa833c12a98a0c0c0957d5

Analysis

max time kernel
111s
max time network
112s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neverlose-Loader-main.zip
Size

227KB
MD5

46de2e1c007d56e22e8abc7885af8bbe
SHA1

0f780f64ea2c22302f8e08a527d5a04fd429aba5
SHA256

e20f97d57623732bc8c216d8fb182f37b09934728ffa833c12a98a0c0c0957d5
SHA512

3bb1a51eea02dbf8d4e7c8fa88e6dae2efedb8d614d64c998c7508e13b3063b7fa7ae48f60196bf9a40045511e17e424ab1b7a30bcef6898acda657ea9c595cf
SSDEEP

6144:B19gu5MiTpOZxQrT56mzfV5bFW1cSguff:BwMJTFo+V5bu1guX

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Neverlose Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000900000001ac49-2.dat	family_quasar
behavioral1/memory/2132-4-0x0000000000300000-0x0000000000384000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

Neverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exe

pid	Process
2132	Neverlose Loader.exe
3728	Neverlose Loader.exe
2468	Neverlose Loader.exe
3356	Neverlose Loader.exe
2660	Neverlose Loader.exe

Drops file in Windows directory 4 IoCs

Processes:

taskmgr.exetaskmgr.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exetaskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3076	schtasks.exe
3316	schtasks.exe
2376	schtasks.exe
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Neverlose Loader.exetaskmgr.exetaskmgr.exe

pid	Process
2468	Neverlose Loader.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4956	7zFM.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zFM.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exetaskmgr.exetaskmgr.exefirefox.exe

description	pid	Process
Token: SeRestorePrivilege	4956	7zFM.exe
Token: 35	4956	7zFM.exe
Token: SeSecurityPrivilege	4956	7zFM.exe
Token: SeDebugPrivilege	2132	Neverlose Loader.exe
Token: SeDebugPrivilege	3728	Neverlose Loader.exe
Token: SeSecurityPrivilege	4956	7zFM.exe
Token: SeDebugPrivilege	2468	Neverlose Loader.exe
Token: SeDebugPrivilege	3356	Neverlose Loader.exe
Token: SeDebugPrivilege	2660	Neverlose Loader.exe
Token: SeDebugPrivilege	4708	taskmgr.exe
Token: SeSystemProfilePrivilege	4708	taskmgr.exe
Token: SeCreateGlobalPrivilege	4708	taskmgr.exe
Token: 33	4708	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4708	taskmgr.exe
Token: SeDebugPrivilege	4320	taskmgr.exe
Token: SeSystemProfilePrivilege	4320	taskmgr.exe
Token: SeCreateGlobalPrivilege	4320	taskmgr.exe
Token: 33	4320	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4320	taskmgr.exe
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	Process
4956	7zFM.exe
4956	7zFM.exe
4956	7zFM.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	Process
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4708	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe
4320	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Neverlose Loader.exeNeverlose Loader.exefirefox.exe

pid	Process
3728	Neverlose Loader.exe
2660	Neverlose Loader.exe
3168	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Neverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exeNeverlose Loader.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 2132 wrote to memory of 3076	2132	Neverlose Loader.exe	77
PID 2132 wrote to memory of 3076	2132	Neverlose Loader.exe	77
PID 2132 wrote to memory of 3728	2132	Neverlose Loader.exe	79
PID 2132 wrote to memory of 3728	2132	Neverlose Loader.exe	79
PID 3728 wrote to memory of 3316	3728	Neverlose Loader.exe	80
PID 3728 wrote to memory of 3316	3728	Neverlose Loader.exe	80
PID 3356 wrote to memory of 2376	3356	Neverlose Loader.exe	86
PID 3356 wrote to memory of 2376	3356	Neverlose Loader.exe	86
PID 3356 wrote to memory of 2660	3356	Neverlose Loader.exe	88
PID 3356 wrote to memory of 2660	3356	Neverlose Loader.exe	88
PID 2660 wrote to memory of 2788	2660	Neverlose Loader.exe	89
PID 2660 wrote to memory of 2788	2660	Neverlose Loader.exe	89
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 708 wrote to memory of 3168	708	firefox.exe	94
PID 3168 wrote to memory of 4440	3168	firefox.exe	95
PID 3168 wrote to memory of 4440	3168	firefox.exe	95
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96
PID 3168 wrote to memory of 2364	3168	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Neverlose-Loader-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:712

C:\Users\Admin\Desktop\Neverlose-Loader-main\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose-Loader-main\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Neverlose-Loader-main\Neverlose Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3076
- C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3316

C:\Users\Admin\Desktop\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\Desktop\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Neverlose Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2376
- C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.0.1813349932\1309541956" -parentBuildID 20221007134813 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d32c158-663f-4ec4-89a7-93550d99d4bc} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 1812 239b8bd6a58 gpu
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.1.1411356062\459621907" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1256912-15e9-49f2-8a1c-bf751a830819} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 2168 239b8afbf58 socket
    3⤵
    - Checks processor information in registry
    PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.2.44686935\1917599539" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2896 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {762edbb3-b24b-42af-88d4-456b0c6617bb} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 2888 239bcf9e858 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.3.1622631005\517622471" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8161df50-b2bc-4756-af67-6d6cf7574630} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 3616 239adb62b58 tab
    3⤵
    PID:4860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.4.906765987\2035436442" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4212 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ba49768-75de-44f8-ae9e-f51de744ec11} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 4232 239becaf958 tab
    3⤵
    PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.5.1441529582\1391637155" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1691e706-8c2d-4d42-bf0c-7a013c31e6f9} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 4808 239bd5bce58 tab
    3⤵
    PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.6.1440245363\1970747144" -childID 5 -isForBrowser -prefsHandle 4944 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {843c5a80-e56e-4a47-9338-2fb406c8971c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5028 239bf2afe58 tab
    3⤵
    PID:5004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.7.254528868\1755933043" -childID 6 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0355d20-6566-4334-9839-c1c76810d753} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5136 239bf2b1658 tab
    3⤵
    PID:1076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.8.764380438\375290804" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf58e31-bbee-4b78-b157-4d2bc7e79499} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5616 239c09dc558 tab
    3⤵
    PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Neverlose Loader.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
9e89044ab7d400dcef4fe53323d46b13

SHA1
b4e5c2585d8de757904a501d524baff4fe4fbcd7

SHA256
df89488d1a55487b570da2ac2ec3e0aab6101bf6cc6fb664f95ff8733b215978

SHA512
5f421174a50b1d1086378e9b0baeb53dd6c71cdfd9a3d30acaa13a76c2c23092b48dfd57204cb5cc3881dd01c940583fe5ebbdcdb8311926b44637a6611c2a56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\49303226-565a-4baa-a4ce-1ec2d8dc8a69

Filesize
734B

MD5
cc8ea78ec29a69cf0103e12336433de4

SHA1
a75b423e9aa8f9f9198f6441abf5fdb82cf82b31

SHA256
7466b0889bc9c015788ea8012435f20326f9c91c745cf28d1e7f3600ad9178eb

SHA512
6b80d07eb1005eac5541682bd0df293c7ab20cd3f662b94de82df784cd7c53e96c492e0cd38b4b9ce547662741b17cc80496cc41e96ee4556a004d767ca9b8d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
95327f593e6a37478ea1a3125e891e97

SHA1
62a380be20fab412852cc76ec65dc9a4890a9b54

SHA256
12106da134af5598c8d5b9ed8c209d607067e58040781623396cc4317c47df06

SHA512
11d97441674e4df97ce62b87f1ba541cf23c7b36522179e824e646770ff2d48a333fa8b10419fc76767c5f14b5a5bd0e16c35220efa5680b54c2795f644293e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
45fc3ce50769916b02aaff46fc92cb43

SHA1
b44a595f85bc04e6f7ec7fe38411d4d6f85f3ac9

SHA256
2ba7e4444437072da46144ff4e9d2d7c7f798ede5b26b9dce7423324fdb46102

SHA512
e704fc0f298d4147243656a8db2cc9fab0f0d056fcbdd1ceb2996e3311f1c657fdfcd92a8b903f1b80be04007caffc7122fe97a6485b9c97000929991ae84ca3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
c25ad8eccd4c5191ff4b381ca0c63c6a

SHA1
9999b1093a8c1dcb804c7f382d2f81e90bfd40fa

SHA256
b6d70020459f78ad0e8791fc720edf13204f9adec2aba78c0f04d70771f28d06

SHA512
c219f2f3a699d5be782a9a519a4bb08a2a2a0118b48af65cded944fe853198b4375aafb31eee5ba47b0afff6ac925863d2f945e107b820ff984effdf6e6549b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\Desktop\Neverlose-Loader-main\Neverlose Loader.exe

Filesize
502KB

MD5
f5b150d54a0ba2d902974cbfd6249c56

SHA1
92e28c3d9ff4392eed379d816dda6939113830bd

SHA256
1ba41fb95f728823e54159eb05c34a545ddb09cb2d942b8d7b6de29537204a80

SHA512
57aade72ad0b45fdf1a6fdfa99e0d72165a9d3a77efd48c0fb5976ab605f6a395ab9817ea45f1f63994c772529b6b0c6448fa446d68c9859235ce43bf22cb688

Download Submit
memory/2132-4-0x0000000000300000-0x0000000000384000-memory.dmp

Filesize
528KB

Download
memory/2660-103-0x000000001C6B0000-0x000000001CBD6000-memory.dmp

Filesize
5.1MB

Download
memory/3728-11-0x000000001B4D0000-0x000000001B582000-memory.dmp

Filesize
712KB

Download
memory/3728-10-0x000000001AE70000-0x000000001AEC0000-memory.dmp

Filesize
320KB

Download