quasar | d4e8227cf61346d7264be4f1f184898cdf84c465e622e9683993d3dcf33c4945

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hrar.exe
Size

3.1MB
MD5

b6ff996e501652ecd561639bcf8c7b65
SHA1

d59eb31de4eb86fd1eb395f4e1c7fc52082c2fe6
SHA256

d4e8227cf61346d7264be4f1f184898cdf84c465e622e9683993d3dcf33c4945
SHA512

040ef39bc0206eccccc1b1a4af8cc46f64ed480333893ea4f5c55701ea50ca34d7c64acf7dcc08fde119cc636f9c2842715cb145b71054bccc8c42ec5fca545d
SSDEEP

49152:PvelL26AaNeWgPhlmVqvMQ7XSKcORJ6abR3LoGdl3THHB72eh2NT:PvOL26AaNeWgPhlmVqkQ7XSKcORJ60V

Score

10^/10

quasar roar spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-45302.portmap.host:45302

Mutex

55e529e2-c08e-4693-b5fc-9b2c7f622871

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1096-1-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002ab81-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
816	windows defender.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3256	schtasks.exe
888	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	hrar.exe
Token: SeDebugPrivilege	816	windows defender.exe
Token: SeDebugPrivilege	1500	firefox.exe
Token: SeDebugPrivilege	1500	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
816	windows defender.exe
1500	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3256	1096	hrar.exe	78
PID 1096 wrote to memory of 3256	1096	hrar.exe	78
PID 1096 wrote to memory of 816	1096	hrar.exe	80
PID 1096 wrote to memory of 816	1096	hrar.exe	80
PID 816 wrote to memory of 888	816	windows defender.exe	81
PID 816 wrote to memory of 888	816	windows defender.exe	81
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 2844 wrote to memory of 1500	2844	firefox.exe	87
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 4200	1500	firefox.exe	88
PID 1500 wrote to memory of 1612	1500	firefox.exe	89
PID 1500 wrote to memory of 1612	1500	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hrar.exe
"C:\Users\Admin\AppData\Local\Temp\hrar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3256
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd8f15f0-f5b6-4408-9153-58dc14e2020a} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" gpu
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf95804c-1b4b-4fdf-ac92-ce8a2a187714} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" socket
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 3228 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cde4e66-07be-4a4e-a081-4c010c13d47e} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" tab
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3448 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beec1994-a699-4e1b-bf16-c03f1e831032} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" tab
    3⤵
    PID:3972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {273e3576-d767-4628-af8c-a68ebba80816} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" utility
    3⤵
    - Checks processor information in registry
    PID:4016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5296 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da2053b4-791c-4649-939d-8e73d6b22dac} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" tab
    3⤵
    PID:3188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d39a7451-3a26-416a-a2f5-ba6e489c85c0} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" tab
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {defcf04f-4ce5-40bd-aef1-35a107d5a5ad} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" tab
    3⤵
    PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
f5c090b6930204cc739f699ae6f3d1f3

SHA1
80ac7c8bc806ee7cb69d2511bd7880747406aed6

SHA256
4530b61a0ea28e38ab10b44ee13c8adeaf1d3d6ac2c30a42f643c31f76f92595

SHA512
c27bf52b236993e732e8dc9db7a39fb078f6e242fe907b81af77d8f0305bdaefb93114509be74ea34a4bf7ec0727ce9f938a7d1ec986f562b584e291c11e598d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
8d9b05dd02d24932bffbe4964ccc2726

SHA1
c2b2e6c3e5df82ec397e0c9655265511947f7784

SHA256
bf0524de32a37aab0141d9bee0f6773b865cbc60330c2121a32c24cbc4b89ccd

SHA512
59112ad3cd8ca16cf7a08332d88e4d5c64f9f846792db1cfa49c4e460fa1bdad28b33438d354e15d922280d032a83d28656904b6d517403bb61725c7e78f8ecd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
626835fc47aa4c925c1fcd476e16251a

SHA1
64b012b6380bbf20d4fbbeb4db03ba50e07cf437

SHA256
a9f8de14565ae8801848c75b89d50ef68e7f27849ebc74e876ba7708ac8ea6ef

SHA512
c2e4773100d48da31e86d76a730a5509f53268399aefdf5c72255458aee1faba63fcbe1beffa5f90f2d8dfa4abbb6c9b806ba31bc111fb0191ec5abede72df10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
3b471cd3569dad249977e0c58da48d5b

SHA1
89f7cec0517af0bdccf68cf9de8fbed029d53fef

SHA256
b9779e363d4e26591f8eab286cef83358259fa3dbebbe8604ab018f3c55e2c0e

SHA512
a37256e163d0825b4c3c94d713488a31a71066329b9f944f9e26823a137e340d823c7f523cbe385208acc4d78ac45967818420a7138d7bcdf07ce30655d58925

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
eebfd3de819724f613a3ed2adb822fe3

SHA1
d133c43d590a1f8879e1368afa570ebb7de033c4

SHA256
d9e37f5120007a5188a7d7a460eea734928c531f11cb71e9e9cf47fd1238050c

SHA512
cb11618e5c1383306e438a992cc829d8531320b29bfb0dff2eef64dc2bbf5317d53071f1581bcb0a18c899bf1884d72d895323fd3495800e7ddbe22fcbb6df09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
5ca45c8a7acf9496b6178155e8443c1f

SHA1
af9ed0edd596574e20b14ed703cfdae22e1fe0eb

SHA256
d958ed074311cb73a90b4c46c9a7ea72f2673e2ccccfb32dcdce1bec5278eab7

SHA512
322b8de026ba1f32367d86736cec098a972bace4a8b7aaff7e2abddaa637a3e9b2d8de65664745af33adb7b9344b2edb505812074f5f039ac6a30888a731b247

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\01c1dc23-9213-4d24-80f6-4e3cf5703aef

Filesize
659B

MD5
ec350eafdefe55aa1d454a7317f40ec7

SHA1
b8af29507928ca48751a1dc8d4c63c00e244eb43

SHA256
34d350e7168056c1a68391f23fa17cee4c275999a66eb603d67b3b159ef34663

SHA512
07fdf23c3910db1c5e50e6565f870f142cdffd4c49066c5999cd40886478cb4cd1df4d69dd5683a3805ffdd7a61608c6d0245515909668feba2932f83768ed8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\4245a0ba-c2c6-4de0-ac64-b526bd9a190b

Filesize
982B

MD5
7560297496a36ef4cb05722723eb178b

SHA1
f5b8ed79208dd2c17a7d6f5efe8dfde60857bd97

SHA256
60b9bc5fb288fb197af33be29a13485d58909e1af88a3f130e2769c594db6819

SHA512
ba7d2dd33b084b90b8575f9ea32eab232b093f6c524a2bf114e3bc764eb4bf977f82113df5d7e1e790eb35faf7e5fc5544955e6e489a8291128d15ee1ee3982f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
11KB

MD5
023f505dad56d227ba94707538f28576

SHA1
df8755abfce826e48f030435f4bd7eb76298aef1

SHA256
5bd116ca59239bc7854f827ec47135b4963dfa6943c6975031817bcf68cf36b9

SHA512
7377657589e34d1f8a0bb2c45b580c3e0ab10d4faf3295a7a707d017cc9063cc6a604c182cc0c42ae9c88675e9d035c06b5fd57e56b514855255a82af9a4f2b4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
b6ff996e501652ecd561639bcf8c7b65

SHA1
d59eb31de4eb86fd1eb395f4e1c7fc52082c2fe6

SHA256
d4e8227cf61346d7264be4f1f184898cdf84c465e622e9683993d3dcf33c4945

SHA512
040ef39bc0206eccccc1b1a4af8cc46f64ed480333893ea4f5c55701ea50ca34d7c64acf7dcc08fde119cc636f9c2842715cb145b71054bccc8c42ec5fca545d

Download Submit
memory/816-10-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/816-18-0x000000001CD10000-0x000000001CD4C000-memory.dmp

Filesize
240KB

Download
memory/816-11-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/816-17-0x000000001BA70000-0x000000001BA82000-memory.dmp

Filesize
72KB

Download
memory/816-14-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/816-13-0x000000001C1C0000-0x000000001C272000-memory.dmp

Filesize
712KB

Download
memory/816-12-0x000000001B890000-0x000000001B8E0000-memory.dmp

Filesize
320KB

Download
memory/1096-9-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/1096-0-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

Filesize
8KB

Download
memory/1096-2-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/1096-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads