quasar | hxxps://mega[.]nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ

Analysis

max time kernel
110s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/01/2025, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ

Score

10^/10

quasar office04 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.178.50:4782

Mutex

17d7542a-41ae-4995-bf0f-b4beb6fffbb0

Attributes

encryption_key
67BFCB1901402AB550189E7D65D43FEB52181781
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ac5d-452.dat	family_quasar
behavioral1/memory/2368-568-0x0000000000390000-0x00000000006B8000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2368	Hackus_Crack.exe
2196	Client.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Hackus_Crack.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Hackus_Crack.exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2280	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	firefox.exe
Token: SeDebugPrivilege	3268	firefox.exe
Token: 33	1676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1676	AUDIODG.EXE
Token: SeDebugPrivilege	2368	Hackus_Crack.exe
Token: SeDebugPrivilege	2196	Client.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
2196	Client.exe
3972	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3676 wrote to memory of 3268	3676	firefox.exe	77
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4800	3268	firefox.exe	78
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79
PID 3268 wrote to memory of 4592	3268	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ffbc7c-df53-4ad6-a3a4-d235c2aa3f05} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" gpu
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa32a97f-4cee-4701-8801-91249cd7b484} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" socket
    3⤵
    - Checks processor information in registry
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2824 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f19973b3-b261-45b8-890f-2667980b0e9e} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 3828 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96855b51-fe5c-490e-8154-51643773e5b1} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 1560 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {572f2c38-f737-4cdf-a75b-8dd00ac64c99} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" utility
    3⤵
    - Checks processor information in registry
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 3 -isForBrowser -prefsHandle 5732 -prefMapHandle 5736 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d4a8178-cf4b-41a3-9eb8-c338a943328a} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {703079ad-b7de-4b9d-9115-9689c503cc7b} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5528 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96c20c57-5167-4d8e-9de3-01732ecb7bc6} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6488 -childID 6 -isForBrowser -prefsHandle 6316 -prefMapHandle 6432 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04b83bfe-def7-42a4-b887-917020e9e063} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:4736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -childID 7 -isForBrowser -prefsHandle 6308 -prefMapHandle 6272 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb70f78-c1f2-4dbf-a109-5fd4d4dd5795} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 8 -isForBrowser -prefsHandle 3856 -prefMapHandle 4340 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c9d321e-3a00-4e3d-b6d1-e111adf9251c} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
    3⤵
    PID:1664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Users\Admin\Downloads\Hackus_Crack.exe
"C:\Users\Admin\Downloads\Hackus_Crack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2876
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2196
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4624

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1740

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4800

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
173e097352fd80d308db1afa7e21228c

SHA1
0fc097bc6513f4a5cea4eccdbf614e3e03888556

SHA256
fa6b9bd292c6383ff77aca2e86215b7e2aa597f7e0bef8bb208ad708c45b0680

SHA512
2ae9fb9929f030d102d12de2b9ba658f371f8d40d3a81ae24b44c2be3b99e72714ee99f7bb30ddb2f0be1b0640aac38c86e4541e2f1db8a9fe287f61da8bfa86

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
6KB

MD5
fbf981c45aba50a6c6f8520f0c3ba741

SHA1
a2702d93e510c7369ad06aece62f6b2931a82caf

SHA256
51ba51432510b315af16d4b503578283cb9b1d19e3218e51ab753507dab9aee1

SHA512
14d42808e493a2fa63a400ee357c4c2ce7256a55adbb016c236923d7476b84cb03b20cf23221e8df17eb3587b77b3297c96592c2bcf3a18379577a51c680e973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
11f1956d132c360c69f21f5404614fc1

SHA1
fa6728679a16fa0182da62150f796ee9dae7ae9e

SHA256
fe95e71b14fa8bb846cffb4e941d4fcfb320fe1f3c78cc03b31a43bec82c137a

SHA512
0f92a6583376c49d39b34f61f6eb8b47e78acfdcb8df2c45efead99aafecff8b4dd0e1c3542065c5c4a76bd16300bca63d95bba3075818624a69f896477fc621

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
23a4fd814b5b1257bf9e3574c661ee23

SHA1
59a2e7898e41f1548a4721d8ba762d1bd613c3ec

SHA256
270b37b5974ba154741b2d2ce0ec27fc25efb80830fd28a540d0c0bf754984a1

SHA512
17f962c718684345b601a11a179ee9fca80a792896986d87aea946a9d93e30358835257aaf1c3582be8d86fe665f22f0a0b5660b8460e0acf7335c3765829361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c602061b097f17306328feccdde165d2

SHA1
65f158470e77065698a2c29aa14816cdf271e4a3

SHA256
2f403bf67c231e23f79ed082de5c891fffcb884b5392ba37f8b86ffe146fd7e5

SHA512
3fb4ce049a1ec6d313e22d76e0261fb67c165fe0a197ff97dfe6fff1dc416756376ac251c661d67ca35f3d9df9770bd132307d6b89aaf431462373ab08b699a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\32a96d53-9e56-4904-bd6f-654f99b4e706

Filesize
671B

MD5
c83698d7ae59671a43a307a9befa2520

SHA1
90b42c9e9a573d0ada0bd5ccd18a96126aeb1d0f

SHA256
57c2a413c834537bd0f64bfbd90de69b971bbf1a0242da7d5f6001a076a6d698

SHA512
6c161d798fa7d2cd5eb4dfa2833333ad0cedb07945b01893fa17cb0bccac2c8958cbbef5782ade689dd29c4c8dd01d00ae44fe6741aedd952552b94ce079514b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\9a8ed85d-c91d-45ef-af01-378b2e53e843

Filesize
982B

MD5
5aec7403d87d239a9442e8aba0f7a465

SHA1
93ef199042752db15a7f662e9e3106fbeb3dc2e7

SHA256
f4ead8c86ad4aeaaf9956c3ce473dc41e58652e106ceff0ce15d26ff95907dad

SHA512
abd0ec3ece2168af6185d340e3be2b2b4d6a84e4e99f1c07f9171cf5af1a1c1af675dd1d5e29662dbd77ae2749a5e0ae75321bcdff016ee37f7c108a302c6f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\b8e0ce5c-a270-42d8-a081-faba08d1f1ca

Filesize
26KB

MD5
ba7ffab073cb5f08910135fd05db3fab

SHA1
5e916fd01043ae59bacfbf0eec0bfac477f7baa5

SHA256
c9d93b38390e749b433767687a9415e5c66dbfd8923cef2ef31cdc1426956f31

SHA512
306f082b28f9aae6c0622f16fb47c2a851fef7c405310ac1c5ebd78fd9cfc3cb08d8068919b3dc87012111b45a5a22caf8c10444bddf0eac8b2de47136d2f734

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
9KB

MD5
42eb63a10e828c967f509e727126d238

SHA1
7bbe549d1ea5476a8382ea1fe647fd18a2d56555

SHA256
5b9163010553f36f0b9c159cd990740516c4ef121a3665fd3668aea9a7d15e3c

SHA512
1e9b4b494c1eefc17873e06a69630d6ad7e0ffa7d9f2a7aca8d7c3d1644b4a7db6339881e101bbf2b7182053bfaf6275bb1e0b25d82440cc347236b7ff810b27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
db922c0d660e6787d3feae24781f20ef

SHA1
9bd1323716e8945cc4f47912b89707c3823c7a60

SHA256
a3ea49c38746ce86c683fc8af6331338c306dd1330dea910caa140e2c09e2cf9

SHA512
8bd27c784e6a1908d97becb2e6f607d03f0379038d09c5318fad5c1c7f2760cabdbc80e873b499ef6654f448150224502ed432c78dcf1285d6633bdeeec4c1e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\default\https+++mega.nz\cache\morgue\96\{78a80fa3-e956-412d-a822-e7c5d6863e60}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
dc26adf9659a292f811d55a4c4f4bb49

SHA1
12c84dbdc769bcdc52da3dfc2e9f97e69d3a52c5

SHA256
4e0a3b246513dec011ca15aed70017180e06965aaa2e92438b36fc274f2d9e5c

SHA512
27865f4e33a018a87ed0dcc08c2656e1bc3995ad0180b6f19b0633f2e1fe68c19f389898ae7087820f1c144f07c541f9ef979b35097b5a2cd610a39cc9f7f6a2

Download Submit
C:\Users\Admin\Downloads\Hackus_Crack.exe

Filesize
3.1MB

MD5
18a25818e80f32a4fbeef9c7c7b54f33

SHA1
d851db20db3a24dc5885b370df0a332bcd0dce59

SHA256
606dcf2113f21cceb8d48ca294abdf791c37c8b9791e9493434e947b0aca4f1f

SHA512
5f0e459ff1978dbfc0aa77b3f9f33f9a9a1718436e3fb107aa3b0b4c1f5e5c48e28bbcfca724d89d7ca6a6d69a5dbdc3435197e79ea91115e8bc776be34d42b1

Download Submit
memory/2196-577-0x00000000027B0000-0x0000000002800000-memory.dmp

Filesize
320KB

Download
memory/2196-578-0x000000001C020000-0x000000001C0D2000-memory.dmp

Filesize
712KB

Download
memory/2196-579-0x000000001C710000-0x000000001CC38000-memory.dmp

Filesize
5.2MB

Download
memory/2368-567-0x00007FFD852D3000-0x00007FFD852D5000-memory.dmp

Filesize
8KB

Download
memory/2368-568-0x0000000000390000-0x00000000006B8000-memory.dmp

Filesize
3.2MB

Download
memory/2368-569-0x00007FFD852D0000-0x00007FFD85D92000-memory.dmp

Filesize
10.8MB

Download
memory/2368-576-0x00007FFD852D0000-0x00007FFD85D92000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads