quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
65s
max time network
72s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004505d-2.dat	family_quasar
behavioral1/memory/4972-5-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4972	PORQUEPUTASYANOSIRVE.exe
3300	Client.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
1316	schtasks.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	644	7zFM.exe
Token: 35	644	7zFM.exe
Token: SeSecurityPrivilege	644	7zFM.exe
Token: SeDebugPrivilege	4972	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	3300	Client.exe
Token: SeDebugPrivilege	2208	firefox.exe
Token: SeDebugPrivilege	2208	firefox.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
644	7zFM.exe
644	7zFM.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3300	Client.exe
2208	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1316	4972	PORQUEPUTASYANOSIRVE.exe	91
PID 4972 wrote to memory of 1316	4972	PORQUEPUTASYANOSIRVE.exe	91
PID 4972 wrote to memory of 3300	4972	PORQUEPUTASYANOSIRVE.exe	93
PID 4972 wrote to memory of 3300	4972	PORQUEPUTASYANOSIRVE.exe	93
PID 3300 wrote to memory of 3068	3300	Client.exe	94
PID 3300 wrote to memory of 3068	3300	Client.exe	94
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 416 wrote to memory of 2208	416	firefox.exe	98
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1480	2208	firefox.exe	99
PID 2208 wrote to memory of 1324	2208	firefox.exe	100
PID 2208 wrote to memory of 1324	2208	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1316
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {329c6674-1f6f-4ee4-8bfe-14eb7070ca8e} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" gpu
    3⤵
    PID:1480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f8c76f-d748-4244-859a-b99ffc822fcc} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" socket
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3004 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f4c5881-80f6-4fe0-b64c-2be96007c9a7} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4360 -childID 2 -isForBrowser -prefsHandle 4352 -prefMapHandle 4340 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe9f64d-e514-4d15-a016-8abfefd56daa} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:3508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4876 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808de33c-8b43-4c98-84d4-5a7314339519} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" utility
    3⤵
    - Checks processor information in registry
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 5180 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eefa32c3-b4f1-4884-8ff7-1087064dbad9} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bba8831-fbb3-42ed-9b89-426a6eebbf85} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70427f6e-0e9a-4781-b507-aae58cefc9ce} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:5408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 6 -isForBrowser -prefsHandle 6180 -prefMapHandle 6156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {951bf489-3a22-4aec-9ba0-97ca096452e4} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
    3⤵
    PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
d39c20e24c971575522612d02cb950c2

SHA1
ae6b513c86d99912c9c8e09002c5d12555285e43

SHA256
2ec0ffd247ee44f6afda94ea10ef7eed9e54067db86f029c5499fb7dfbb5604d

SHA512
dc3dab13036654a54b41288ea61093956b1a368b40e7d42d7df7d59aa15d0372ec37fd7cc0d6bde0f362760606cda4e2cde2bfbb3bb0e8afffe87eb195b7386d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

Filesize
8KB

MD5
6603f1ae67a93ffb95fefd6cbcb2c761

SHA1
e2c639a0829dbbd7e73d7cb8e6491dbb74bca86b

SHA256
65e1d655f29b13fb8669d41382ac4af6770e13d4efd03ced513e3e3796e96489

SHA512
8f6dbb8ec8e84f6fd46bc35c93e250a00786316ce27f0218414fa525dd165d860ae13bd29ebb1522e3d1b0dfc969110bd0c3672d88fea01c9e52bee669d225c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
6192e0ea182559dfa2819f315ec57b47

SHA1
7ad407e7a8088ddeeed44ac33c7a5fcfe77d327d

SHA256
6f1b07345448950b2c7688fa5f85ceb8210734565d589a0d76be2269c17caf7f

SHA512
8c4243725e00c8ed01a3c12b7d16ba186df3c06f6ffdab671a6c9f6af37af975763e1365203317b37f9fb6785aa70fe1443797ce7c65370c2bcf4f72ea5082c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1445597b4de798aae850605579cd7fc3

SHA1
6b1c29906d616444c34b5040f751c95eaa586847

SHA256
163a97e6ec75da27516d0fee366c17d2916bc7d504ff8e1b402dfc32c980bab3

SHA512
92c118c2509c622998429862ef7f1aba6aa96892c351fb40a197f8bc595abcf65a84dcde5c55d5aa07a1ce247138b2fbd5bc5ea3546188bbfe4a64d7f10b04c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\ae1a76eb-07f3-43ee-ac12-82ff74d693d6

Filesize
671B

MD5
7e9a7c5a1a39ff70e9fdd3f1cc9df74c

SHA1
6636d806df62d3f2b62d7b62f9b59821b6af9325

SHA256
1e0ed9ee72ac492f3b02b1385656f6b8431d41ac32f7957471671c9b9fc46497

SHA512
79c124aa3d1bb9e42e2f7401040e5e65ef2bda38fb3bbe4557ff6b538d17e591155b1fb676f0836bef03cb4a672ab7c4d202ff46a60d63156cf44abad0d26025

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\e8715dac-d5c3-46db-bf06-6d82da167590

Filesize
982B

MD5
55222a6922dc21768f56fc32485dbc95

SHA1
1ac357d04206b613cdaa77d643d119304994fe2c

SHA256
2b686168b39a58aa366a977fbb08cdb3e3609ee2ddfc5af2f2f55bca85b4ede2

SHA512
8985461cc94fa89c9943dfe7a8fb644cb9c61114c129e03ced323112ed8fa2f301f1d781b7454a01866cceaf3c9663c309d496e025d86b860598f791c0c305c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\fb091bde-7650-45bd-9b4f-9001a3028288

Filesize
25KB

MD5
005e44fddf1f8d0d06162363a13d0923

SHA1
8c4f854405c44286b58be08302dbbdffbfdf8a79

SHA256
02b749a1869b93a487022e720e9730236422ddddd7bb20e6a20f3a8a5ca19d52

SHA512
decf4d81aacce857fbc82edb268a26c2b188be7199357deaa66f63fdc4d4fd1d98fb2dde6d7ad7944cb5c01a3c054f65ee8ef12bb4d59535ea4a2ab16ec40d53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

Filesize
11KB

MD5
ee5de6d78d3fc922a2604dcf1146da08

SHA1
1204195cdb003ccf5b6e58e921db587603fa5f19

SHA256
10b232aebbe2a20d608658c130d5c6bc856a79d2a7cb66e3c8ba9f55dc466d2a

SHA512
89171b2287d6d0a677184689b73164ab5b4da3432e9f7b0762c582199adf583f76fde467cd773934c7072f9900bcda3f3eebe654e9886032069bad183e7e0e25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

Filesize
10KB

MD5
e29e3bf18870796352a2da8767a4857d

SHA1
902df46d9b36eb2c853bba410119c50e6ce82ded

SHA256
0a75fe8dbd5c9fad3754d3be41334857b118cdc8d6f7b70079908028fdabef64

SHA512
d51a56ccf8874de6c9ae14078f475257053a7fe1a4c930225292aad753f1dc640d4ea43049dc0f3e708cae9eb3bb454446a47d340f56ed2b4cb6b4bddd14d1ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
1af1a3e7fc2a32bf72d3dfb21cbacdca

SHA1
16c2b0e080c6c587f0cde01af5a05ce36aecc7b5

SHA256
20bf4cb3e956c37eaf34031042ffc404d70041e2fa0bffbda44eddc1c66e5609

SHA512
93c8d79eda4de1998dbec62189c7fb10bd7bca26525cfb230d8948542e29d494a1bf36580cb111e846594a05fd5bdd913226ec1ce0ff6f246b01fab811fdb577

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/3300-15-0x000000001CD40000-0x000000001CD7C000-memory.dmp

Filesize
240KB

Download
memory/3300-14-0x000000001C1B0000-0x000000001C1C2000-memory.dmp

Filesize
72KB

Download
memory/3300-11-0x000000001C200000-0x000000001C2B2000-memory.dmp

Filesize
712KB

Download
memory/3300-10-0x000000001AFE0000-0x000000001B030000-memory.dmp

Filesize
320KB

Download
memory/3300-276-0x000000001D8D0000-0x000000001DDF8000-memory.dmp

Filesize
5.2MB

Download
memory/4972-9-0x00007FFF65EB0000-0x00007FFF66972000-memory.dmp

Filesize
10.8MB

Download
memory/4972-6-0x00007FFF65EB0000-0x00007FFF66972000-memory.dmp

Filesize
10.8MB

Download
memory/4972-5-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/4972-4-0x00007FFF65EB3000-0x00007FFF65EB5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads