quasar | b01844fd95ecc51c681f238a6351fe1e8d7228b931f4324b023c4598907e9c69

Analysis

max time kernel
8s
max time network
150s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/04/2025, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-be3uilt.exe
Size

1.9MB
MD5

f6f414c145d0acecfdd3cfba707386d3
SHA1

b7281f8c899da4fd46e814ccadda4b3f03db365f
SHA256

b01844fd95ecc51c681f238a6351fe1e8d7228b931f4324b023c4598907e9c69
SHA512

68ac467e9c57fe6c2108217393e1ba45b48503d5274565460420e508e0add220c69120bd5551d7741996f20011a9d1e33f327d13cbff8f29223d6fce6d2a0d24
SSDEEP

24576:Y1JFoVGS2eWBRwRR16zhHIPbcNK0KKm77yviUSQaZaOwI55l2S62r9exnjUDB3u9:Y7FB7wR2EgKKm77LrwCB6T

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
43EB246F63BA6C5E8F1B8F576653410351E57F4E
reconnect_delay
3000
startup_key
�� 8}pQ��C��ʷu��

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4788-1-0x000001EA8A390000-0x000001EA8A57C000-memory.dmp	family_quasar
behavioral1/files/0x000c0000000280eb-4.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5556	OfficeDirectory03.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\OfficeDirectory03.exe	Client-be3uilt.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1984	schtasks.exe
4204	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5556	OfficeDirectory03.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	Client-be3uilt.exe
Token: SeDebugPrivilege	5556	OfficeDirectory03.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5556	OfficeDirectory03.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1984	4788	Client-be3uilt.exe	82
PID 4788 wrote to memory of 1984	4788	Client-be3uilt.exe	82
PID 4788 wrote to memory of 5556	4788	Client-be3uilt.exe	84
PID 4788 wrote to memory of 5556	4788	Client-be3uilt.exe	84
PID 5556 wrote to memory of 4204	5556	OfficeDirectory03.exe	85
PID 5556 wrote to memory of 4204	5556	OfficeDirectory03.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-be3uilt.exe
"C:\Users\Admin\AppData\Local\Temp\Client-be3uilt.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OfficeDirectory03.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1984
- C:\Windows\system32\SubDir\OfficeDirectory03.exe
  "C:\Windows\system32\SubDir\OfficeDirectory03.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5556
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Security Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OfficeDirectory03.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1956 -prefsLen 27100 -prefMapHandle 1960 -prefMapSize 270279 -ipcHandle 2036 -initialChannelId {663f4a83-9929-4a81-9e51-62d0f7ee084e} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2444 -prefsLen 27136 -prefMapHandle 2448 -prefMapSize 270279 -ipcHandle 2456 -initialChannelId {0db1457b-b6dd-4dfc-b2bd-0203426852dd} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:1208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3788 -prefsLen 27326 -prefMapHandle 3792 -prefMapSize 270279 -jsInitHandle 3796 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3804 -initialChannelId {2f3dbbb6-5203-434a-a102-5039e8ac5504} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4020 -prefsLen 27326 -prefMapHandle 4024 -prefMapSize 270279 -ipcHandle 4172 -initialChannelId {257b27e6-9c97-46b8-b4e5-24ba5aec33ba} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3092 -prefsLen 34825 -prefMapHandle 3096 -prefMapSize 270279 -jsInitHandle 3080 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2968 -initialChannelId {7ba407ba-f078-404e-b579-4ffeb24aee3e} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5508 -prefsLen 35092 -prefMapHandle 5512 -prefMapSize 270279 -ipcHandle 5524 -initialChannelId {dc8f1e4f-31c1-4aa3-941d-55637c312209} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5664 -prefsLen 32979 -prefMapHandle 5668 -prefMapSize 270279 -jsInitHandle 5672 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5680 -initialChannelId {c52c02cc-608b-4481-8ef0-0c6ccb538eb9} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5700 -prefsLen 32979 -prefMapHandle 5704 -prefMapSize 270279 -jsInitHandle 5708 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5716 -initialChannelId {d2a86aa0-341c-4ba1-a64c-a618a26537e4} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6336 -prefsLen 32979 -prefMapHandle 6340 -prefMapSize 270279 -jsInitHandle 6344 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6352 -initialChannelId {bc86c21c-f0af-4b84-8e30-7cbac9087628} -parentPid 5600 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5600" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    PID:5940

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xpwktgiy.default-release\activity-stream.discovery_stream.json

Filesize
34KB

MD5
4076e15f8bb4cee722234e9d9c05c564

SHA1
0305d17d1fbf19ca7d44dd605ab527dbd03c19bf

SHA256
4779332c05c55e074b19f8c2cc8aecf3de65a7cd443ff3e6921d9c2df6895045

SHA512
c2b9337477aa8bc22f944e11e84dd24e854b20ef30437c8c107fe48f9e483d986f1ae2102069724431e093e4473e4c2fafd1a1a7ae91081dd4f83bcae7116af0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xpwktgiy.default-release\cache2\entries\73EC3764FB3BA737E60C1F3545992FF513570DA7

Filesize
14KB

MD5
b7e45c0b7fcf8beeb39e43d7a9c60e36

SHA1
0f131cc00542693d2d79722f13f77bbf4ef2ac15

SHA256
61754805518892c7d734e8b6f8822fa6903c851bb0e76f91440386c7692a8db1

SHA512
bf3f8a040bac5cecb131e5d904173ed5be7896e6ceba1f2f0bed5555aa1ff68244eb74784b018454b7142a3a11f1ab9c44dcf85fadf75e609f41fb7f06abc4ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xpwktgiy.default-release\startupCache\webext.sc.lz4

Filesize
104KB

MD5
8776d3d609d4b5ab94ab1e365d796ef1

SHA1
2ace66b381ca4f2ca365598c9d315b21833d63f3

SHA256
23e67cc528d50919534cb69bb9a15db2fe029461d531dd68f2e3f4ef1c177515

SHA512
9650a9a57042f55a43c291decc42205128e78ea57bd2ca6f4685e731cfc99a9a8b153168a246c6f701cd75d897c2e66e3d476a8308cfcd1fb8f36ef3347a32b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b958461-080e-424d-9b90-9bdd28591870.zip

Filesize
3.7MB

MD5
57880dcac21744fc3b1d25fc04df0b7d

SHA1
6b962c2a5e89fe801a93eecfb0108211decf960c

SHA256
f3ffc60d996ba67a7e2bd340cf0a516bffe02d571e6466699d01f60d0b4693b7

SHA512
eb7a73cc793ced69670e60e172d421be4d10ccbe1e9c81baa607e08985ea138c0b30d3a0d08995481f3610e8d4e3ba976e6ae12f71710af85b48f10ae676b466

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\AlternateServices.bin

Filesize
7KB

MD5
8619fb81bc876f227acaa7ffd48c42f6

SHA1
a63549909ed560bed592ba4598f077077313a546

SHA256
e6b9f9761c1e6a55e3ba86bfe2e38a740fb2ae2ba39e9478786fed8c3330cba6

SHA512
38b31b38b4a9854ca4d3ab842455115609c5d5a07edac9c95746d8838cbc9bd95eba74b196f0abcc4b60c46702a7601fd95deda1ffdcc6209520e74753ef8e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6a832172ed12738c8f9df9653c71e736

SHA1
b3e6b7d2b06e15bb2f5e89989cdb8f99c95a99e8

SHA256
de1021d016c78fedb6d648aaabee1f7fad68bb7eb7eb36cc4308d62aabab27aa

SHA512
8ffdfc89915832140b711e9511195ae929a8285b51bb98a093be08c82fa9db5068add661f00399731ae973f1c4c3a766fcd39ca1f06b1082cfd9da94fb814174

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
d6f287419f66634a79d32da57470857a

SHA1
d6a07469f7a728e8cbeb7efa0aeae7a9fa1a3f1b

SHA256
624fa0144ba405d74c4ae8355d5073455c1e1ddb7b61af9786c7eac407c804cf

SHA512
f221d133dd798ff7c55664b9ff4bd8f9b4108a139340417280f7c2a4855e0b18b6735582e97baa456616f87c4c5f4024a376f320f0cd24289449a2a9237dcf64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
771435fe0ca8123e58edf2934f257a5d

SHA1
6366db1b358dbc2e85604f19a825040fb5690815

SHA256
341dd4a26c24a8d0e656fe2c5dcd763b8095e55d49044e175ba27a1a9a7c67f2

SHA512
311258e629e70b174a41838f235e2088efc1e072600f41171e5a0506234be79e8669ab82d2a141c3d994c571b65fc2f7bb17d6a9e41f2a69cb7918e338354900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b2d0f03d5e49697172fa8090a2157ae7

SHA1
e0c54b29726e64c35529b90b934c44bb6cf6a464

SHA256
df422d44f7405a804ee2b6c05fc4a0a22d472521f4924371d598fd03247c29b9

SHA512
4e333e3dcda6d53826c8e11174835b1871e9958a318e9cf2fa6353fe81eced8ed88ffa3fa12eadabaf3afebdb1e70a73b7cd8067ee99e5d04f2455cc4c6f1939

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
5cb0cfbd85cded5d6197a16c74dcd8be

SHA1
91bcd7d60738ab205fa181598f48d6dc3f18d95e

SHA256
ad8f9b65b9615accdf6645fa7f48aceec48021699fb7223868075c0bc593a6f9

SHA512
d83dc06e548dab5721b581c6aa5261117801efe93e4436fe4b0be339286b95b0a825d1a0b7d8fec4191738352ed3f0c2487eced51aa6cf3eafd6c5b38e336072

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\13139399-37f0-440a-90a0-7d5e2dd86481

Filesize
16KB

MD5
8659af5f7be25fdedcf32e01c8149c15

SHA1
cf6b1e2aa6a880bd2a544a74ecd6a3c35f964a06

SHA256
7ae685e5555a7a51dffeddf4dc560779a57898fc2a504b62fb5cf9a58bd4729a

SHA512
dd5e0c6e468732da27527413038e55edd193f95453cbb77a7d56dd48056474c9f70bbebedba3b5c21fd2692df5aaeed65094107f16cc5ebf9c528f7a00a1d99c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\2d90c223-f8fb-48ca-bcf8-745140b51496

Filesize
235B

MD5
d601e5094b9240e9647b009233ca48d9

SHA1
7cfdfd46a09198a6a22539a53246fc58112a0c89

SHA256
c38981b475a581781678b262fd3e9c65195362901a145b63d9e7bcb5f7ca1f4f

SHA512
ae31448551ab08bc30e1068c1b2402380a3cbc98467f8194b96753306f7b77265500c21c58f11313a9c0b96a6f81c9dc94b00026dc3bb1d7dd54dd81c0eae371

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\4c6e67da-6d84-4d21-8d6e-40dc1c596f68

Filesize
2KB

MD5
f1a2bd011506a628e9f841e47c026fb1

SHA1
690112aded4ad6c53152ab56f2494a0c84839b34

SHA256
bca1b4464482f48ef2335ac0321ef1b93ab0ce14bfca798118c7366383f71e3d

SHA512
0529572fc5b044263acdd7487ab9003e51af8d8021ea76d294be92aa880b5ad5941f5ccb65173d79f8c4e0e8223f70771c0b838b571264bb2737c7a1b0e8fa73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\5869a92c-8f63-44d7-ac22-58982e831b9e

Filesize
883B

MD5
be6f5c54d62ab025cad3cde07c125c27

SHA1
d5f4de47ec9c0154a51d556f23069a8f6ebde6b0

SHA256
1528c73deec309c1aad38ed2d6cc3c94d5d90178559481e592ecd74f28e37640

SHA512
eafc06a27be4c41f2915ca6537bb23b5ea3d24d37826a360e5646eb7959ea595822a5a09376240f5f5ccb1940623037cdc9e0f9dceb35f9910ad1478b0dbda77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\7c5f803c-3bb9-4804-8e70-631773c3b82f

Filesize
886B

MD5
1724fbc83a5014776ed4d80fa368c035

SHA1
314becffcbdb71c8a4a389fed76eac2415e71749

SHA256
341265dadaa4d8aea4e77bfb30e5d3317fe14cbdc811c79d2752778973f72226

SHA512
cea89757589613568d1004cb6608777dccea9d59a1bcaf5396430d3495e2b4c63f7c262aaa6998a50f4140bdd01576b4589b007bf0d5b85ba00484edaf63796e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\datareporting\glean\pending_pings\b72fe45a-0042-4b4e-a0c7-d1c401066609

Filesize
235B

MD5
194476e2d6a03c29aa9a6ea16c8a675e

SHA1
37090625589da59a2fd6186e58b7c94962e1415c

SHA256
2bf10c802c03b0685841075aadbc2075f98d3ababed1ea48e22424f5958da3d5

SHA512
0f2a4002a0c16bb22158e8773df6b5bf66fb036eb289edcd74e190e1b1a4fb911da494f8b1a1b4c2b06a7c2708acffbae3df2fac3ab1ab941efad19edf5b56e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\extensions.json

Filesize
16KB

MD5
c607c02ba60b967ec43da1f5b2bf09f2

SHA1
c988ecbfae71535dc5d13c06df793821fa3b845f

SHA256
e131c01c8a559b613a46708c4d529b3f11a828bfc2586a6eb2143ae55f27c0b2

SHA512
fa27a84e82d196b694a2641ab1b4321b504876e1e1dac4b710289116df3501dc282554b50845abc7095fa8bfaa1d1c9676afdcd37aec42b1a2934132d2a537ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\prefs-1.js

Filesize
8KB

MD5
470305580755fbb9f11b4c70db611635

SHA1
32f75f1f1d2fcf1048fc77642658411a5cdb5818

SHA256
2f4368c9bda07cc564c11c7bc5393b4afb84da7f814bf01b9230ce509cdf7ca3

SHA512
d3d24a5878ac5d7eeb3cfd93d1c87acde3663c85a09ff400f03c5dedf6ded66aa9b1c0af49c7c42aa4ce54303dd751e951bc912b7dc0742ffb56b7e31ee0bfc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\prefs-1.js

Filesize
7KB

MD5
99878b5e3ccf8e47e14ab09fa861948e

SHA1
a38e1a306e02aae2ef2e4dbd200ba80b8a06c7bd

SHA256
d53577dc5e8b45ea7a2d5b3589e1172d62ad39a8edf52469ade2cf486db3d921

SHA512
d275e3f2693d77ab47956fca27acdf1b808742f29c617bd36e8d5d57b0f303a4d83f9d4a80692b8247ef9f654312923f36991968696b889452cbf2e291aa9bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\prefs-1.js

Filesize
6KB

MD5
bd77648c034edbbdfcec859e62a98a51

SHA1
7e7944d8819624d00dbab0195f992f5b3971ba05

SHA256
23148b3f87325ed8e9932e2d737ab6da6c090541db32260b958b649cefdd3aa1

SHA512
7d455d490278e563cccab51af7edd6abfcea91f1236e95ccb8edbcdcad138322c3cf9a76000a47864aca55d5935c2ae30baac820f83f47d03cdc7868f85c8688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\prefs-1.js

Filesize
9KB

MD5
56e490342456c37f6fd9fbb4c6f9c2d9

SHA1
df4de7a2c42f61c7d5a7fd6156ac8cf9d0caad64

SHA256
becebac2930d60ba7f30d2b0f6dda335ed239ee48f468dd96b6d1cfedba495bc

SHA512
a610ceefb63dad2e598c59dd39379585df3740fd5835883373d68b2c714ca51c3d67105a50525120e544b2799e5f9c54e4a110cc730c9cc348a6f4dbdd3d90aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\prefs.js

Filesize
6KB

MD5
fcf32f5e37accb5109791f01170c2ada

SHA1
87cdbb84814a77a65c1a78d6bbf23651780b5287

SHA256
52eba264617399696983494711e329e90935c724e685e52c02a4070f64ebcb1e

SHA512
ebb0977b82aad4fbb66d008b6ef96c5c6f662dea69a8541962df8441c5679ead6c66e2631c2d39ca619e396aaa3817bd0ed26134446cbac1635417afc33919dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b90a8c49ab83b32b46ae45e95c09914d

SHA1
77774bac443d50f42043ba361844da9453070b51

SHA256
bc2b24e034d9e6fd19adfdb20223572956dc441d960263b55f071448cd5351be

SHA512
35af2d970411a89457e3518ba6c044e784ea0f6e4bdbcaecc642554075fdc94a197bd676d007f4b2b0487f79b7b69189ba02a864567306b52501006143dcf7d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.8MB

MD5
3331a374b80dd2c3350790349c58a136

SHA1
625bfd172eff1975ba83ec81d368332b68773bee

SHA256
cd48fe36bcbc9197096af3470edb54cb45f2ba5ffaa8c310e3dff5e298cc4d53

SHA512
ca7847643aee609a1fe5adff23543a60672ebe58b71e3e5cbec617bc64c9f2f5276a8af07f94300b1356e67aa8cfcb47cfbfbfb2dd80d932ebb3983c032ff24d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.8MB

MD5
21b9fab0cf993dfc495f87147211426e

SHA1
f3a79968f83b317c3bcb622bb678bcaee7f87f49

SHA256
02983bfaa5030d5f1854bb3f53c975c7ff63bb0849449c30fe351c089818de5a

SHA512
6472eb59064b5fcfecccdc3e1816a1b6092018d226008833c8211ad7697d07932dba9a26a2f4565512c58017d34f34a1ad0bb5aeee4b0157e18eb7ef44f85891

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xpwktgiy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.8MB

MD5
76b69e563605ddaf65648582870564d3

SHA1
68f28c7f87f314e83aa69506208acdfc57c2b05e

SHA256
683003824f04dd338d5c20dddb3f5e92259bbf139a58dd2c2e76b96b63066926

SHA512
caff5a34759ff91e1f856d3b638823afce5d4588ae74acca1a06ef44872f68132737cbdff0462785a46fe021cd12358566fb4897bd5eb7c5004ab7f4f1db89b1

Download Submit
C:\Windows\System32\SubDir\OfficeDirectory03.exe

Filesize
1.9MB

MD5
f6f414c145d0acecfdd3cfba707386d3

SHA1
b7281f8c899da4fd46e814ccadda4b3f03db365f

SHA256
b01844fd95ecc51c681f238a6351fe1e8d7228b931f4324b023c4598907e9c69

SHA512
68ac467e9c57fe6c2108217393e1ba45b48503d5274565460420e508e0add220c69120bd5551d7741996f20011a9d1e33f327d13cbff8f29223d6fce6d2a0d24

Download Submit
memory/4788-6-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/4788-1-0x000001EA8A390000-0x000001EA8A57C000-memory.dmp

Filesize
1.9MB

Download
memory/4788-2-0x000001EA8C270000-0x000001EA8C28A000-memory.dmp

Filesize
104KB

Download
memory/4788-3-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/4788-0-0x00007FFD4AA43000-0x00007FFD4AA45000-memory.dmp

Filesize
8KB

Download
memory/5556-15-0x00000244AFD30000-0x00000244AFD7A000-memory.dmp

Filesize
296KB

Download
memory/5556-7-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/5556-8-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/5556-10-0x00000244AFC00000-0x00000244AFC3A000-memory.dmp

Filesize
232KB

Download
memory/5556-18-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/5556-20-0x00000244B0500000-0x00000244B0A28000-memory.dmp

Filesize
5.2MB

Download
memory/5556-17-0x00007FFD4AA40000-0x00007FFD4B502000-memory.dmp

Filesize
10.8MB

Download
memory/5556-12-0x00000244AFDA0000-0x00000244AFE52000-memory.dmp

Filesize
712KB

Download
memory/5556-16-0x00000244AFE60000-0x00000244AFE8A000-memory.dmp

Filesize
168KB

Download
memory/5556-14-0x00000244AFCE0000-0x00000244AFD2C000-memory.dmp

Filesize
304KB

Download
memory/5556-11-0x00000244AFC90000-0x00000244AFCE0000-memory.dmp

Filesize
320KB

Download
memory/5556-13-0x00000244AFC40000-0x00000244AFC8E000-memory.dmp

Filesize
312KB

Download
memory/5556-9-0x00000244AFBF0000-0x00000244AFC02000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads