quasar | 389d7381073945558533fbf409f2bce03d5267e5545ecf91c4208b7646165db9

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EclipseIsSoHot.exe
Size

3.1MB
MD5

d270f2b20a6fae8a39ee7b6d9ffecae1
SHA1

d05036a246aa89c8c5ff4827a7a055df65c0eacc
SHA256

389d7381073945558533fbf409f2bce03d5267e5545ecf91c4208b7646165db9
SHA512

ab8d5207d36078d0cdeec67d23c0883ddb89568976cc94c80a491e9b5dc4eb54d68d3df0f2ea46a0c875bc85b8f44a31fb23888babc421f9a6893876a750b9a9
SSDEEP

49152:9vzt62XlaSFNWPjljiFa2RoUYItTR16rbR3boGdDJTHHB72eh2NT:9vh62XlaSFNWPjljiFXRoUYItTR16B

Score

10^/10

quasar darius discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Darius

Eclipse:80

Mutex

df9a6e4a-c51f-4a16-b5ba-97e6c913f325

Attributes

encryption_key
F438346FAEF700E396AC7AE5D82BB12BBAC49EC0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral1/memory/2968-13-0x0000000000950000-0x0000000000C74000-memory.dmp	family_quasar
behavioral1/memory/1780-33-0x0000000001200000-0x0000000001524000-memory.dmp	family_quasar
behavioral1/memory/380-196-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/3008-318-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/2996-420-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1644	PING.EXE
1200	PING.EXE
884	PING.EXE
1452	PING.EXE
2588	PING.EXE
2972	PING.EXE
2908	PING.EXE
1620	PING.EXE
1604	PING.EXE
2960	PING.EXE
2696	PING.EXE
1072	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA03F6D1-D839-11EF-B12A-E61828AB23DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2908	PING.EXE
1072	PING.EXE
2960	PING.EXE
1644	PING.EXE
884	PING.EXE
2696	PING.EXE
1620	PING.EXE
1604	PING.EXE
1200	PING.EXE
1452	PING.EXE
2588	PING.EXE
2972	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	chrome.exe
1700	chrome.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2968	EclipseIsSoHot.exe
Token: SeDebugPrivilege	1780	EclipseIsSoHot.exe
Token: SeDebugPrivilege	1788	EclipseIsSoHot.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeDebugPrivilege	380	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2544	firefox.exe
Token: SeDebugPrivilege	2544	firefox.exe
Token: SeDebugPrivilege	3008	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2900	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2960	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2904	EclipseIsSoHot.exe
Token: SeDebugPrivilege	1736	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2276	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2064	EclipseIsSoHot.exe
Token: SeDebugPrivilege	2996	EclipseIsSoHot.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2424	EclipseIsSoHot.exe
2624	iexplore.exe
2968	EclipseIsSoHot.exe
1780	EclipseIsSoHot.exe
1788	EclipseIsSoHot.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
380	EclipseIsSoHot.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
3008	EclipseIsSoHot.exe
2900	EclipseIsSoHot.exe
2960	EclipseIsSoHot.exe
2904	EclipseIsSoHot.exe
1736	EclipseIsSoHot.exe
2276	EclipseIsSoHot.exe
2064	EclipseIsSoHot.exe
2996	EclipseIsSoHot.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2424	EclipseIsSoHot.exe
2968	EclipseIsSoHot.exe
1780	EclipseIsSoHot.exe
1788	EclipseIsSoHot.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
380	EclipseIsSoHot.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
3008	EclipseIsSoHot.exe
2900	EclipseIsSoHot.exe
2960	EclipseIsSoHot.exe
2904	EclipseIsSoHot.exe
1736	EclipseIsSoHot.exe
2276	EclipseIsSoHot.exe
2064	EclipseIsSoHot.exe
2996	EclipseIsSoHot.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2624	iexplore.exe
2624	iexplore.exe
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3032	2424	EclipseIsSoHot.exe	32
PID 2424 wrote to memory of 3032	2424	EclipseIsSoHot.exe	32
PID 2424 wrote to memory of 3032	2424	EclipseIsSoHot.exe	32
PID 3032 wrote to memory of 2840	3032	cmd.exe	34
PID 3032 wrote to memory of 2840	3032	cmd.exe	34
PID 3032 wrote to memory of 2840	3032	cmd.exe	34
PID 3032 wrote to memory of 2908	3032	cmd.exe	35
PID 3032 wrote to memory of 2908	3032	cmd.exe	35
PID 3032 wrote to memory of 2908	3032	cmd.exe	35
PID 2624 wrote to memory of 2348	2624	iexplore.exe	38
PID 2624 wrote to memory of 2348	2624	iexplore.exe	38
PID 2624 wrote to memory of 2348	2624	iexplore.exe	38
PID 2624 wrote to memory of 2348	2624	iexplore.exe	38
PID 3032 wrote to memory of 2968	3032	cmd.exe	39
PID 3032 wrote to memory of 2968	3032	cmd.exe	39
PID 3032 wrote to memory of 2968	3032	cmd.exe	39
PID 2968 wrote to memory of 2884	2968	EclipseIsSoHot.exe	40
PID 2968 wrote to memory of 2884	2968	EclipseIsSoHot.exe	40
PID 2968 wrote to memory of 2884	2968	EclipseIsSoHot.exe	40
PID 2884 wrote to memory of 592	2884	cmd.exe	42
PID 2884 wrote to memory of 592	2884	cmd.exe	42
PID 2884 wrote to memory of 592	2884	cmd.exe	42
PID 2884 wrote to memory of 1072	2884	cmd.exe	43
PID 2884 wrote to memory of 1072	2884	cmd.exe	43
PID 2884 wrote to memory of 1072	2884	cmd.exe	43
PID 2884 wrote to memory of 1780	2884	cmd.exe	45
PID 2884 wrote to memory of 1780	2884	cmd.exe	45
PID 2884 wrote to memory of 1780	2884	cmd.exe	45
PID 1780 wrote to memory of 344	1780	EclipseIsSoHot.exe	47
PID 1780 wrote to memory of 344	1780	EclipseIsSoHot.exe	47
PID 1780 wrote to memory of 344	1780	EclipseIsSoHot.exe	47
PID 344 wrote to memory of 1324	344	cmd.exe	49
PID 344 wrote to memory of 1324	344	cmd.exe	49
PID 344 wrote to memory of 1324	344	cmd.exe	49
PID 344 wrote to memory of 1620	344	cmd.exe	50
PID 344 wrote to memory of 1620	344	cmd.exe	50
PID 344 wrote to memory of 1620	344	cmd.exe	50
PID 344 wrote to memory of 1788	344	cmd.exe	51
PID 344 wrote to memory of 1788	344	cmd.exe	51
PID 344 wrote to memory of 1788	344	cmd.exe	51
PID 1700 wrote to memory of 2528	1700	chrome.exe	53
PID 1700 wrote to memory of 2528	1700	chrome.exe	53
PID 1700 wrote to memory of 2528	1700	chrome.exe	53
PID 1788 wrote to memory of 1944	1788	EclipseIsSoHot.exe	54
PID 1788 wrote to memory of 1944	1788	EclipseIsSoHot.exe	54
PID 1788 wrote to memory of 1944	1788	EclipseIsSoHot.exe	54
PID 1944 wrote to memory of 1608	1944	cmd.exe	56
PID 1944 wrote to memory of 1608	1944	cmd.exe	56
PID 1944 wrote to memory of 1608	1944	cmd.exe	56
PID 1944 wrote to memory of 1604	1944	cmd.exe	57
PID 1944 wrote to memory of 1604	1944	cmd.exe	57
PID 1944 wrote to memory of 1604	1944	cmd.exe	57
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59
PID 1700 wrote to memory of 2816	1700	chrome.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
"C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\L7EM9YX1j5pu.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2840
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
    "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\swTPHF3Hg5UT.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:592
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\82KPd8UjQh1U.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAikkfXoqKEw.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWnkCEFVl4vM.bat" "
        10⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gc3axyIJmJX2.bat" "
        12⤵
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6KYVRNjplNYR.bat" "
        14⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3tOi5Z7EYuOA.bat" "
        16⤵
        
        PID:1064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fLuWPH3Xyv0P.bat" "
        18⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TJeTv77aYMGs.bat" "
        20⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WRYpROXjlPDG.bat" "
        22⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DvkRHAl7G7tO.bat" "
        24⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EclipseIsSoHot.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2996

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2348

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef449758,0x7feef449768,0x7feef449778
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:2
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1156 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1236 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1368,i,6853014129189050126,10131510897715562864,131072 /prefetch:8
  2⤵
  PID:1060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:604
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.0.456320148\1226952466" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1172 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {327a29d3-d271-4dce-b32f-6be21c0e1daa} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 1316 105efa58 gpu
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.1.616728019\1253680221" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {385a47b4-e392-402d-afe2-a18bd57b6ee5} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 1532 95ed058 socket
    3⤵
    PID:1816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.2.1664642770\2019883332" -childID 1 -isForBrowser -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a84d4e5-b137-41d7-8845-a8aa7d2eb8ee} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 1948 10561258 tab
    3⤵
    PID:2308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.3.1101903907\1626679820" -childID 2 -isForBrowser -prefsHandle 2392 -prefMapHandle 2376 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71b4d009-54ca-4782-bed7-ab94969f8c15} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 2448 d6a558 tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.4.2135446329\1927790380" -childID 3 -isForBrowser -prefsHandle 2760 -prefMapHandle 2732 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e2ddb4-6f7d-4df1-a157-d441bbedbefd} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 2772 d62b58 tab
    3⤵
    PID:2624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.5.2119452216\1202638120" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b483ef1-ceea-4cf5-807c-8ff699d430b7} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 3852 1bf51558 tab
    3⤵
    PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.6.1695281979\936529131" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9969e376-2463-4584-bfc7-317587cec8af} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 3956 1ef1de58 tab
    3⤵
    PID:1636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2544.7.827816840\453366773" -childID 6 -isForBrowser -prefsHandle 4144 -prefMapHandle 4148 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eebe0a7-a4f1-4ceb-accf-69ed30d87c86} 2544 "\\.\pipe\gecko-crash-server-pipe.2544" 4136 1ef1ff58 tab
    3⤵
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0631d414-f65c-4cbe-85e0-5b21ca492c8a.tmp

Filesize
344KB

MD5
7a7eeadb3a1cea3ba18e45b34093017c

SHA1
94ec242a1ad7347d4ce63b136a72871508fda58a

SHA256
19272f89122a7a29f1fec5ce0ef6b229c9c85a5a6c5cba7357ef1f0b55410dca

SHA512
d7abbf08411c2e21dac049c87da72fa289ea52b5451a0fb26cc574140bf6ed8bf00d79be3fe9660db937107b799ce34ef4f77b9f1a3cb0932902e3bf3467821b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
78c35222531c6417c9bd623b7295a5b1

SHA1
1b819b68a45295c3e046219fa24c450128a3e32d

SHA256
1697f9c25e4c47446229436d88cf6c58bfba13afa32e19fce3a76628c5894547

SHA512
920c5b652ce236b962978684ae2451452be1c42e4fd2223d5267c576b4929bf6ac9efce5c05de10f6e891ac8e26b1bed6f5ae399fd80669fa2f4d0a26e944491

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tOi5Z7EYuOA.bat

Filesize
211B

MD5
c86018517fb2c74d5211f016fb4670e4

SHA1
db1a9945693112cd18614ac367c0f0c582139f47

SHA256
fb145fa51631ef54a1a25197d94655611fa9bd2c1a58cb13722f0ea56f7932e8

SHA512
4df4d5cccd47c02693c8daf012b9c7d8744484c78836e634b1890b4554bc9ee2b7210ad8989d62a03f8c931aaad430354bc8eb412257d160d4bdfbb47647684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6KYVRNjplNYR.bat

Filesize
211B

MD5
b1b3cf4489cf935a20e24a0c4fd625b0

SHA1
bdec4add1969c52573005dc82c9594ac182b4c03

SHA256
4bf78c41448e984874b9e26d56398d293096b2d4f866e84f7af63b9ffe6d2e88

SHA512
e161a34a3d0be1d171e6016e2ab03575af84d5095c55a690f1f40ec43b67ca767fc91909d51622bfcae3b8419bf430d3b46ab8efe2c5d8561c7dc32b01365c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\82KPd8UjQh1U.bat

Filesize
211B

MD5
84738b27212687f22b217911bce7882a

SHA1
331a434c5d509be5b293126f071021cd77efa953

SHA256
d2841fab82ceb99722598addf73e0d39fb4a48315c0556beb69c42983f516d64

SHA512
3292a1405966107444addaadc653835d41e77c23a5438506f5dd506c3c591a32dd4ee654d370d9a209d98b3fcbf34ac72ada0cf9a04400fbcff2941f839c68c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DvkRHAl7G7tO.bat

Filesize
211B

MD5
745c8f0709a3eb4bcb5020967156d14c

SHA1
7e9aa8cb5babf2de18d1e24e92c134c466e3a764

SHA256
44c4c6f9ebf2401d026b38a5b673056957cf90333f8f846eea5b37ae0c3f20c5

SHA512
022166bc8df811bbebc48405f25bc191eff52114a17e7a480976ff2a1f18e0c0d5a7ee91632e7829f149af9c3fbd7bdc778a7b44c7727c76453e7416016b0841

Download Submit
C:\Users\Admin\AppData\Local\Temp\L7EM9YX1j5pu.bat

Filesize
211B

MD5
b92213cc0233beb4565e45e9446a4a68

SHA1
c9b89f32e0173954bb13bba02faaf1783bf27d94

SHA256
e75d1e2b4f832a7ebbec5e5bdc988b0b0b285c3ab7fee6c0662bb0350048e3ee

SHA512
44c7b054c7ee0b0bfef52c3589b01c68d1c9a852d728891e43c70402a76f319aa049e920e25dd944a82349525ca3827453807fff34435f4c53d2340d3f8af0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJeTv77aYMGs.bat

Filesize
211B

MD5
9e825ab13d880b60afff1e7c1401463c

SHA1
b41d220e054529343f3e8a551bbcd07528b08380

SHA256
7540414392de211e8be9050062f67f075b64aea610b7ef0d4754239e8bc582e5

SHA512
db972e6cfdf78000586e4741a236d064c4273c2cfbb4e4458ec081db12c98dcfb171a014b897d4756ba8159a1222a798445489b206cc0f01a27996fa7f74b1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRYpROXjlPDG.bat

Filesize
211B

MD5
8fd58a73a75265157a7bc0fee8aac634

SHA1
416218c5410af75027b1ad09843fa146221d59a0

SHA256
c0991330c1ba380a9a45e674447fd68896c203057ec8cb9ab3e61e46052b677b

SHA512
db6a7fbcae4a2420e1fb62d01d9f170dbe50d009df5cb9820f74d338b44413e83d7681d765271995e09195b82b3550785a3932f7a83b430d1505b5b43a9bcddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWnkCEFVl4vM.bat

Filesize
211B

MD5
d22316349249d6ef5efe7c5b847f6fdc

SHA1
1914c9bd6e1e367468114efd6a95f27535247be5

SHA256
67e6ef23df2b710bb0f0bcb88760f0c070ef0712d4b5ca05757b7a1d4d8dad2e

SHA512
16a66e3368588fbbf44b180f4ee7a08702c19cfe9b6e025e40d80daa604f87bb6c590b0e8e2e8d7dca4f68607f8513e1d7a659480a240227f792526bb0c95cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fLuWPH3Xyv0P.bat

Filesize
211B

MD5
01b67e2833d57f97236f624c7007c910

SHA1
412d2e3e397ecea5b5a2709807297d5031a301d7

SHA256
f3f5ba5fa75d433e26297181f8930cf55caabbcdf30c546a4f1387bd0ae9bb93

SHA512
f45040f9056d27a32f214bc279ed26985daf47d077e7dd8dc56f896dfdc3181e10faad6bc44743b2ee87b4d65bcc188f3c54eaca5044c5d44ae867e7a90cf5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc3axyIJmJX2.bat

Filesize
211B

MD5
cad3358d42dfb539f68a2807bff12d10

SHA1
3aa639df2e194a024bacf86975e506bf0b3d319b

SHA256
e0c46e787ebc8d267d833083b562e26bd57de810c1500bf70ade7bea8b8ba333

SHA512
1148aca9f565c2472122a092680fe9ef4f17ff335c50e9cbab5a4e1b1a8f812205e01fd431a2ff4547a4f2d6659a9039ba67101e5e3840feaba6f389c442522e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAikkfXoqKEw.bat

Filesize
211B

MD5
6458383037e96ffcba32794f8756d47a

SHA1
988e0f210857ef2a8196b1845262c64ba8fbe33f

SHA256
5689a3e6fb5ea216f076ffcd068c3bd80d35996856501eb89b5e4751f6c38b94

SHA512
da8c2b6bf69e6e09b6fa8a332c4449354022f6ef3e5e3886098bc4f42faff3900f879dcc3d4a4e55ed79faaa35ae4b733e853fbf8be37c0beb1153a12960547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swTPHF3Hg5UT.bat

Filesize
211B

MD5
aef75e431ed4b3744bbf387cf7f8fa8d

SHA1
dff7c6015142efdc609c1ae435c73a0fcdb6620d

SHA256
ca916bd431ec6268e3d3a61481bca49108f88a8d8b20de26ea24313831992211

SHA512
b6667513ea87207f6511ee85ab937f2cb928cc3dfea6c5987b42034fe2027f37eb4f5168d47fbf9e3f42c4f71afac2819cce36cd45cf7dad0f8e5e12ebf5629d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
789887e4f8aa59ed5329a0e732e1e8fc

SHA1
4e639f64f5bf687c9b633efc8a46ef380e155e8e

SHA256
2c78f53d28c5579c27a7be29332d68af8233a6608174fa091dafcbaae32eee58

SHA512
236e8a65d89b2eceffdf75129e2e32d35412e1acbae49fb9e35c4ab33c8da21eb02349986dfbfd945ad5b9c64fa907267bd2931b3a18e13063337dbbc0c630f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\01d0540c-6d06-4f3d-9921-1c89d09ae540

Filesize
745B

MD5
b5c32316ce9267dc6a6b39cae08226d4

SHA1
8f4bdb7dd301f13b7d42c95c925b93dbb6d0baa6

SHA256
abc0bda34fff2b39ca4d79340bac3b9568f87fc2a86f935a67e5d69f8f689653

SHA512
e99b080c0770604c2eda156eeeae2ec8e44efa13f85d46d71c70b79c1002cdf69c7bceb7db742c492736e640e06992f67bb0338759565559dd3c8cd1c08f99da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\20946dc1-325b-4e9c-a5c8-ffff8efd938f

Filesize
11KB

MD5
e9380dcf97176794206ec2a1ab0d9b76

SHA1
b774139ffca10abb125571901f66c3555e49a1ba

SHA256
a02452f954581ae2a37d864281648b03977e54a282da4abbe2f460d4ac775f3d

SHA512
4f4dc298c9c2cc3a69dbf5364bc26ff3264b7bddeffcf72398e0f3c2eec8cd3e3459fa01c60a6078d9930817c4d3c7d22550b25278bbdbbb880f0e9848ef52de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
0cfb35e6ce7aecf01bcea51fb2e330f0

SHA1
a1203d85d73339e6ed04240613feb046d9e81251

SHA256
6901ac20b0ba67899bf28f8b5a9c01d6df4875e216a3f3cecdd7fb56c9765d4c

SHA512
18c06522d99700da7ad1adecbc85dce6f3a1f9731a1842f10381697309c3b6e0c9ae22014450365ca8b177f1ff2c12a8c600b7bd6339e83214a206ac1433311a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
7c8af73b7189d46079e0b960228f0d9b

SHA1
96de2b04efee5e6599c7e4271b074fe77350de6e

SHA256
e134714d236e2d332b1dd9b5ec554da410ef34daf3a692931e223892b9336b80

SHA512
56cf53ce21dcf6e54f561d5ee5421b93be7c69fe42a323324cd4f1e446a497ab6813aec202f1c9a0c92c04a3d840465efb11b9bcf3cb771b168cf59cf01ccd8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8f74ec409b9bc13f4e10a2ef078cc83f

SHA1
389e3c850f9817ab608cb8d3a0efb4e95573e1c0

SHA256
6df41c3daf2f9da5418d569c9380abbf6a452f597f20e41fa72531eae52464c1

SHA512
5db707e73cf94436c4c35502b34ca9a3b9a49b280417b762bce9b1dc92d1747f7ae6279ca34d7b0061d286cac0f2039dc8368bf769057d65865d4c1615d346c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
6a7e2803a02dbe0e8300bf3763327a5d

SHA1
d7fe9269f9da086391a5d8dd6c9091a86a5afc3d

SHA256
5de402247656ff3aa96503fe6f107e1f54efd2d7794dd79d308a18e0073ca746

SHA512
f5f74e567b88925d92a72dfbe6a38bf1db46c3909dc5cfe0867e4f74733bd86e24173028b94b1b7415bb9af01ab7db6ac890c0183bb0323c8151d51a82ea7861

Download Submit
memory/380-196-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/1780-33-0x0000000001200000-0x0000000001524000-memory.dmp

Filesize
3.1MB

Download
memory/2424-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2424-11-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-1-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/2968-13-0x0000000000950000-0x0000000000C74000-memory.dmp

Filesize
3.1MB

Download
memory/2996-420-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/3008-318-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download