quasar | 5cc228520e77d8d98a9737e6ed9e560e7766bee0d3986593e6d78b3f62254ebf

Analysis

max time kernel
131s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7979af405ec3fc618b94083c15a703f2
SHA1

a1cec10272213425b8b5a2310de229f5962b9674
SHA256

5cc228520e77d8d98a9737e6ed9e560e7766bee0d3986593e6d78b3f62254ebf
SHA512

8c66339bc802cba4dbc4caa8a4a310470b2e205a3edd7f8f2dfe10514782b8c3506d5d71618b7684a9e789d316c5da9aaf775fdbb8c1d8433a35f1aff50162ee
SSDEEP

49152:PvCI22SsaNYfdPBldt698dBcjHwx6EMkYk/JK0oGd8ITHHB72eh2NT:PvP22SsaNYfdPBldt6+dBcjHwxfBM

Score

10^/10

quasar exe spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

exe

192.168.4.70:4782

Mutex

20b94a11-6f09-4a42-b723-e2b3fc07ea20

Attributes

encryption_key
85087DC59010C3D9E4749A15AB7F44397E834804
install_name
Client.exe
log_directory
Logs
reconnect_delay
1
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3124-1-0x00000000009B0000-0x0000000000CD4000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aafb-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1808	Client.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe
3668	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	Client-built.exe
Token: SeDebugPrivilege	1808	Client.exe
Token: SeDebugPrivilege	2724	firefox.exe
Token: SeDebugPrivilege	2724	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	Client.exe
2724	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4352	3124	Client-built.exe	79
PID 3124 wrote to memory of 4352	3124	Client-built.exe	79
PID 3124 wrote to memory of 1808	3124	Client-built.exe	81
PID 3124 wrote to memory of 1808	3124	Client-built.exe	81
PID 1808 wrote to memory of 3668	1808	Client.exe	82
PID 1808 wrote to memory of 3668	1808	Client.exe	82
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2924 wrote to memory of 2724	2924	firefox.exe	87
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 4688	2724	firefox.exe	88
PID 2724 wrote to memory of 2504	2724	firefox.exe	89
PID 2724 wrote to memory of 2504	2724	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4352
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c71f95b4-8090-4380-a5ac-7574496d6067} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" gpu
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2924d973-9d87-4a4a-b867-42ee8ef99579} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" socket
    3⤵
    - Checks processor information in registry
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2972 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dffaf15c-8484-4d12-853f-c6cc2d9bf556} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3376 -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3e35a8-7a5d-4538-a97c-1a87d8043ad4} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4564 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a449ef3-9642-4780-8f4d-fcea3e1bac76} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" utility
    3⤵
    - Checks processor information in registry
    PID:3724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 4744 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f285b39-ebe6-4118-89af-97885faa8a18} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efcd3b17-d94d-46dd-829a-5c8ba0d0c7da} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:4908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5788 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {656d943b-0351-4404-bf1a-222020edd37c} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5224 -childID 6 -isForBrowser -prefsHandle 3916 -prefMapHandle 5128 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea7f6c62-a09e-49bc-a1e4-9b8e009a5104} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
6KB

MD5
4710fbb834c9e33a59b35ed76348bca1

SHA1
e2194b864f05c2bd1b9eb0412e6559992360e859

SHA256
94459e4b7f2577865860fd19c6214187e2b7bbecaa0753ae5d58c3da9a3e11f8

SHA512
d26752ba482506b0a6c0da5c6d680e087361545e81ee496e3ff960ebccdbe7d88562201a7c9d78e2634c273ae18f4c408229064daf422489c494737db9ab0a14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
6KB

MD5
a4a0a9da07dfd280412d1cd981dcedd5

SHA1
4683af9db7d42d101ca22322eabac1dff68d1e2e

SHA256
89cce51ac164006414169720c0c9aa5cb4db68c1a2c1cf7a23f8f1f0995a7340

SHA512
aa77c25a45a1dea51bd5458bf3bfcb28fc23054310ca8e159b71fa9743fa3316d4ac1b4350eacba48858eaf84cb1dccc07c7248c9c9433663ca7af5d8e8d22ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
8KB

MD5
ce23a5f913f87c94eca16b6e49e53da2

SHA1
36ee30241a24df2475e08b08ff234eebc95b6851

SHA256
dbf1586c18ec1f683a98d11a6f27db4d10d398e7b6692dc2b2c6cfd5df5c9609

SHA512
78f983a0501c46cca73b9468199ba1f0e7283926064bd87138d7226cc95d8e425040a417b59298bf52a06d06bb8894893fade584c39e17cee0768e8e176c0530

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
73622ba59f0cebda2369d168f92f6dbb

SHA1
b29aef27b56134a9e48dd5c3c7f9d5c6d642a31f

SHA256
e4fc0f0bd6da627eea459136d8b4148b86adb33e00772a5cebfc66b759e99e45

SHA512
fa21882455c3306230679891eda161f13b8ee359279271bbfa34fec1e143b9ca7d6b8592371cd5d12a17bec0896e6d9781f507e49ef7b6967114977abe5c7633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
11426079ea8302b2b9d1afec5a94ceed

SHA1
77a82a750b9d0f828cb797a20f5e240aac219322

SHA256
673fc59cb2db64dc85f17cae9371f5a1791e4fd93ea30cd4f1d3e0673d3ed142

SHA512
acd783b93b1fea3dffedc762c0d2d02cfaa461a665f9f602d46f9da4bc4a9537652f18a280708672c3079d62dfdfbed0b9a12f82f167344dfbb2b859068764ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
23671574f1c77fdac7b283be59cb5222

SHA1
a0044aa3908d74e7d3c9b90db7bb44fc06220117

SHA256
3f8205de4c0ffa2f5bedc6a789903e16c80fb51b81c085c31068b5e55ef34d48

SHA512
3e487e245cfdef55d88d24b7d8fde4ae3e48657ae67e74bd0e21f2b3f2215e2b5a278a6d07684df6f5b3ae5dd6054b85fd62525492a0f7585e05e415959e549d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
8ed86ec8a0328bf8fb1c10a9a1673c7e

SHA1
72f9a3bdfc5a79112cec4c7760119fe94d51b875

SHA256
b3fa9ff802a88586422505aa388934c3b332a10c655961c081d6e90ca6735240

SHA512
536546a9b29657ef0976351740f68864b90d8d1488a9876c856e80f2e2d0dcbe3d74fdfaa1e1ab66bc4f3f55f8bcad149d92638891581735d8d9e35c2c90635f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\0d100064-024f-44bb-a033-e55ae24e6235

Filesize
659B

MD5
5a21e941dcbcf48b50a40c0420d99e23

SHA1
81eef93302d95b0184a5e803d56f0f1c9aa102a3

SHA256
5a5677ddbc3e66a4ec339409d3a5e7eeabb2fb4f15dbc5c80a17d9b0b376b6d3

SHA512
0b026baf2944265380106c4b26f167fc49d0e365c5472ba1d3923c13bf4646c02d8fe6f52a1a6ded4e28feff8650c438b601e1a04aaf2fe4c66dd4692f7cbff2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\86aaba9c-0936-43f7-a75f-bdb0b67c7342

Filesize
982B

MD5
15a875cd446ea52046c282a1f7624591

SHA1
36c1e513ea21e3351d703e98b494f6389f946a9b

SHA256
df10fff26b88e04489f9fa8dc6293faaada0e90ba588f00ddf6a63ef961552df

SHA512
81ff2f838c0b0cd344c8f49780631cad15e4f6adf0b91d3878cb348b184dcf8e5a5dc6b4c5c53598aed0e008d108b5d323038f98e986cd76e3aa8bf79faa151f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
2360f5df845a900f1cd40880e8a08498

SHA1
859431919dfd22fff5423ef461ba27c110f816c9

SHA256
b0d4a571b17e8a3f1f452a5a1cd10eb40ccc424b549a47e4d8d46f8548115141

SHA512
64b3ba5fa973a946adfa88c4b7ae9e8fc5896e1653e843a19af7f2250f1a4987c04393a9b76e2e285419748a338b3b482836d848055671d16db61df4491d0dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
10KB

MD5
88ee015fd046faf137a5cd96f3373ea4

SHA1
24bd84ddaa8ebe4b592d9e6f5523a7b05fd0cdd5

SHA256
2b9ae28e551cae0f9ee3538acf70a96047e483abff2acc3eb8b05c5ebe3afed5

SHA512
f6e264088df0b9dcfdc2613a730b63c071eba98819903267ad328dd3a6d671000c5b88d39d496dfa974bf6c4fc54fac8f21c900d1fc015fb20950fd4b25a8a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
10KB

MD5
8846f03214e7f07b6285fa3c4aeadd42

SHA1
349dc97f79cf24967ff35e50c82aa09c178eb1e2

SHA256
30c1317ca0bf5df2ac4dedb143418cd1e2c954caecf6ddc699c3696623a562dc

SHA512
1bfec201528a590e36457dc158eb19976c56a5792b23bb7978e8dbcbc644b0758b1427fc9f8090b5c3ad3813fed9fce05ffdae584580950ce6f428e620ad1d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ce7622e92905397942cbd63bb87296b5

SHA1
7600910de3b92dae83717f796a2e35836183a755

SHA256
fee9aab5dddd009e95aec042013862db7b67dcb9b6360160089e8f9cd1862e9e

SHA512
f97164ed8a21576bd691892cbcff869e82517a09ba67134738afa57dd0df71b6ae255c5922a38d1c7b35fd92ae54c3ca282fc6557f5e5cbf733dc929c53bbca5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ba5eeb4a59804c2ceed6bd973b8fb11a

SHA1
68095c9518d53bd4b435e5010baa141ff029800a

SHA256
da8b047c99a53720e546c314d95ac22a4774ef45b49f6a364ad715742c50e047

SHA512
5f9c9ae0773bde682507b347c23306bdc4807d41c3f9f636993c3b005cc0189368eff507b833f79935379cf8816c7da885f9a3719f2f12edc825d103b33dd1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3ab764afa17479735df5a416da999bdb

SHA1
5ec4652e8feb415657d5182ffe08bad36845699f

SHA256
6ad049878c5b2b07e4df63b3c360f630c3652db5b97f040a7e1acb69dd6a635b

SHA512
a5e1324af42738c5f12f9119a7c1b1ea260d909d5b18735fc30fda70f054219411d5053d112ba451ad4d129b52a26ac59255a5b5fa7428d4b4d8d13201f4a5b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
5d0a485c6575ffa77a45a9789921f9f0

SHA1
207468b870c413099bb675a3e162346ee2d417bc

SHA256
728b08f74ada44e54c1b8c28beb43047e7f2c34e6abf27484626975807a5a17c

SHA512
fc94ec23d20863fad9ac2e97d919efb4d40bb9a914df7ecaeb063e6284cb008bb5ae1ec37eacc25aa3ea706ef1f00f769632314bfd5ff615b4dc217c3ebbc279

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7979af405ec3fc618b94083c15a703f2

SHA1
a1cec10272213425b8b5a2310de229f5962b9674

SHA256
5cc228520e77d8d98a9737e6ed9e560e7766bee0d3986593e6d78b3f62254ebf

SHA512
8c66339bc802cba4dbc4caa8a4a310470b2e205a3edd7f8f2dfe10514782b8c3506d5d71618b7684a9e789d316c5da9aaf775fdbb8c1d8433a35f1aff50162ee

Download Submit
memory/1808-11-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/1808-277-0x000000001CE70000-0x000000001D398000-memory.dmp

Filesize
5.2MB

Download
memory/1808-14-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/1808-13-0x000000001C530000-0x000000001C5E2000-memory.dmp

Filesize
712KB

Download
memory/1808-12-0x000000001BBC0000-0x000000001BC10000-memory.dmp

Filesize
320KB

Download
memory/1808-10-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-9-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-2-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-1-0x00000000009B0000-0x0000000000CD4000-memory.dmp

Filesize
3.1MB

Download
memory/3124-0-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads