Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-05-2023 17:12
General
-
Target
readme.txt
-
Size
883B
-
MD5
f32dc53dea22ab780d87dbe53ecc85f4
-
SHA1
a3a57d0730c880a3e72371d15e5e8a96d71c2c1e
-
SHA256
0865fcaaffbee526ecc6c62d837a7684b63c55ecc940887ec88c617836b83a40
-
SHA512
bd3308edc436226e5e746d5e2cba7b716b92af6b67f7fdc2830d322e6a189ee4d914e24616af46168e3e5e42442df10e9e28d44374c80107de5c0b4988159886
Malware Config
Extracted
quasar
�G��
-
encryption_key
428B8BF995C1D5153E40DED9D607521359BB4C60
-
reconnect_delay
3000
-
subdirectory
(
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\readme.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.0.2143629722\182815275" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24fdc47a-3569-433d-b162-6f51766be8c3} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 1936 1f426de3858 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.1.1525056104\424461732" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9f4ee5f-f476-4243-abcd-f9a45ecad82f} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 2316 1f419e72858 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.2.2007204058\2142269633" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3000 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b1a050-b86d-4f96-9c69-4ac4840a6321} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3140 1f42aae0258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.3.1950419606\328347349" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 3124 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58a58dcc-7cec-487f-924b-cd0d86b234fc} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 920 1f419e6a258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.4.401256743\1568895577" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca03dff8-1155-4a7b-ba24-d0aeb8f84d6f} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3788 1f42aff0158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.5.510371006\31840809" -childID 4 -isForBrowser -prefsHandle 3776 -prefMapHandle 4488 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6a3ede-1060-4091-b5ae-75ef9d2e82a1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5232 1f419e30558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.7.132002517\304772019" -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 3780 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5837067-87b1-4b09-a3ce-0be3a298991a} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5252 1f42d3c0658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.6.647987743\1431189875" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {455279bf-1cca-4e29-89de-f008320b629c} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5336 1f42d3be558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.8.1144796927\1575794910" -childID 7 -isForBrowser -prefsHandle 5760 -prefMapHandle 5408 -prefsLen 26674 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3169816d-4dcc-4852-8898-f6e5de126e89} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5208 1f42e597a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.9.773714241\522862725" -childID 8 -isForBrowser -prefsHandle 9588 -prefMapHandle 9584 -prefsLen 26889 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cf65e6c-c4bd-4503-b09c-66bdd76d055d} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 9596 1f430278658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.11.662717543\185087" -childID 10 -isForBrowser -prefsHandle 9136 -prefMapHandle 9132 -prefsLen 26889 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6e1a4df-74c1-445c-a961-b539010c4bdb} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 9144 1f430277a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.10.1170296295\1202663976" -childID 9 -isForBrowser -prefsHandle 9344 -prefMapHandle 9340 -prefsLen 26889 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {469a57ab-10fd-4fc6-8c71-f9a4cf42cb0c} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 9456 1f430276858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.12.1672135323\1458878046" -childID 11 -isForBrowser -prefsHandle 8940 -prefMapHandle 8784 -prefsLen 26889 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb74a3a-721a-44bd-b304-22fcbc3b6529} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 8960 1f4300fb258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.13.2136889041\718556265" -childID 12 -isForBrowser -prefsHandle 8900 -prefMapHandle 8904 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c922db9-9262-4f54-98e7-a78ee76efdc8} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 8892 1f430a14558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.15.37721750\1264989100" -childID 14 -isForBrowser -prefsHandle 9288 -prefMapHandle 9284 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c33590-b393-43b2-a320-961448490a16} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 9296 1f430a12158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.14.441808989\1691098249" -childID 13 -isForBrowser -prefsHandle 8320 -prefMapHandle 8316 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edfe35e3-a2c2-4dee-9a02-13fa8ffaafbf} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 8328 1f430a13958 tab3⤵
-
C:\Users\Admin\Downloads\Office.exe"C:\Users\Admin\Downloads\Office.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.18.265029745\317991147" -childID 17 -isForBrowser -prefsHandle 7252 -prefMapHandle 7248 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adeee40f-4572-4031-bec9-97db2585d59a} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 7260 1f431988b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.17.2046727037\1509446844" -childID 16 -isForBrowser -prefsHandle 7416 -prefMapHandle 7412 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {520dbaee-8534-4487-bc1d-ff996255e63a} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 7984 1f431e2c358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.16.909437247\871161472" -childID 15 -isForBrowser -prefsHandle 7588 -prefMapHandle 5100 -prefsLen 27154 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2fbc956-2ddd-421b-b3c9-079e95b0627c} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 7556 1f431c2d258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.19.2013248019\2137396018" -childID 18 -isForBrowser -prefsHandle 7768 -prefMapHandle 4852 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3098addb-3241-4589-966d-e3fe75e1cdbb} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 8928 1f42d356858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.20.1153412716\586161537" -childID 19 -isForBrowser -prefsHandle 9488 -prefMapHandle 9512 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9af3f8-f755-477a-9603-f359e8327260} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 7192 1f430411258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.21.1772714728\1617617535" -childID 20 -isForBrowser -prefsHandle 6908 -prefMapHandle 6912 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a382a220-8440-448b-9fc6-4e0a9cc0d593} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 6992 1f4297a3d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.22.552544933\1230358206" -childID 21 -isForBrowser -prefsHandle 6980 -prefMapHandle 7044 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e4f3d9-63bb-4253-b64a-ec62fa053222} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3660 1f42f4ca858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.23.1675250979\714472424" -childID 22 -isForBrowser -prefsHandle 6868 -prefMapHandle 6864 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1508 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {289f2452-f38f-4d34-b9ef-7ea7a4b110bc} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 6784 1f42f582b58 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Office.exe"C:\Users\Admin\Downloads\Office.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmpFilesize
141KB
MD5e3f711760bb9b5b176c03bd70bc56c29
SHA11d0a541a0d6b0bb672f87d9f943ec0f0028cac6b
SHA2567e4f764f8e32b2b75b85f3687db5db2558144119b16b82eb4de4b9052c0816ab
SHA5123b6f74c379443c580224323d711f9b27c36c8e9e1edc46f499ee74b232a20568946e9078a92fef2ec5b02456999a8d3f48556ea7118a54e1d9098edc177d327b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\5D6FA77C53FB590351F997CCF4ABF6B756BE8802Filesize
57KB
MD5d291cf9e26430a69ce7264a3d5a68482
SHA17d0df69f972f4b791e0c220b6fcabe087df8383c
SHA2562ca2163b610d90a825a3ed5869d5ca24f96f1891724d45fac9a0f7c4ec7c7967
SHA512be297f5ed2b447a0461f3d1023d1110d6f0d657d4322ac2e1ea96beac08869b134aaa1aac64370d2513f3efac7b2de49b1b00c4e6c4c5e103b9a4ff71b0905af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\917E41E135032D6BD66E5D6F84F0988D37234A33Filesize
14KB
MD5b22b4ae3a9b3cdc147f0e5e9f13fb5e4
SHA12abdaa9efbe52c2cc37dd2ebbead918bf7db805d
SHA25613f1989d030bac551498e4697737f989581057ac262af207e87695877db967ad
SHA5121c793d578a9b5c7d66d6e1498ea637460671c075423c5a90db4c8c2f3742011140ee74406491f3ce7b747d2fbbbe86d67991d79d36071419441e576a26b2dfd0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\929535FFE6DEF799013204CD1F4BE54D821DE36FFilesize
14KB
MD52b01549b35b5d3158cd74bf791938f34
SHA19473c8c8009622bdb53302cb2fea563120730301
SHA256ef7b1e197bce12d9c3524bc4393a600523a3030e62bb73b9f04018c05d69b7b6
SHA51202286890dffb9bf639c5886b37da5a81c54509fe6ee57d3956cdcc65ba63ad1efe76fcf1809da39863f8b814064aae419e061120ae71546b016f03b265183fdb
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
6KB
MD56f806688fbdeee3bfa014c271850fcaf
SHA14c6dbc49472d93ec5c364097ce9779552f3bad45
SHA256464a0bf8c651642142f8737e67771d651b6a89801bd75d6b82004cb315fb87e9
SHA512c838a9c22415f3f5f8029c74256fc4e0899b3af6f59984a94f1941bf9f905b668e79f1c9078283539f9330d94a103ffdbb8c6f9b4c66d3df8b40f8c98f56bb18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
6KB
MD57c615ebb62f6ddc1f6e06ecd04112afc
SHA180675abee095db503c2192d06e81147ff617ca85
SHA256968dac74881b81c08884a262f71688d85f3fc573bc9678aa7608157c46a3579a
SHA512a20d9c105a2cc8eacd0add382adf912be03a641dbcdc15d2a6bdb4b3b6463a6e181132fdcdae4935c5aee4aa2bcdd148a0cdf78e2af496d4d5e21ce6b41ffd84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
6KB
MD512ca58985ea61d241bcb056b5d5f4d4d
SHA120c2552d031d6616f5dc83c9165e2f201f9c8e1d
SHA2567b1f6172124ec142b99c5bd323139560fb9129374bcca16119e94d3349b1a07e
SHA512a0b1f2e57f10d905e413208da342348db1accb8862344a9c947c2b314188379518407071a07752befd4bf6c991ca2120fd9f9e94bc913e3a64c724be14056f9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
7KB
MD522bedb203a29c5649087044b77f61a11
SHA110270311956b970a597970ce39aa775ba86f1151
SHA2567306c3ec83400b6f1544b09855dc81dcbd0d1bf37ba1cdda037a22592d0d2363
SHA5120c2bba98a2de4561514f280fc9486246cca20a4af2a641ee688cfd604cf126e5f3abcdc424959397407235564a8645f834fb298cd249b302f12c1c26d5e6baa1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
7KB
MD5fb30deb50e33b0dbe2e9b93c822d2cda
SHA15d38cd1dcdd186091e0b6f6d3693a61f7e127359
SHA2560993ce14f47cefadcdf9c5fb3e048881db57307d77ab47320e54bc73d9aaf035
SHA512a28189aba2181542baf746d772218c05eda6ae5fa4ae8346718fbbc027633323396dd6fbc6c3c48b96ae3f473003f3f4fa6dc4a9bfca0eea070acf697a8090e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
8KB
MD59191cd835f8180235f2dd6730a9d6155
SHA12be5bc0c29d20081c9519719a383db248960789e
SHA256710766392588c0bdecbf5ff16d35b1070092898ee7a84799a2251df686eb65f6
SHA512891cbdb74689d88a43aebed53547d9b2542f69d8cce1826d2cb984974d46c4512f26e1be43044b519859cccf140123677727afef1c559a0f88d99eb2de828e07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.jsFilesize
7KB
MD5273ff4d6be7d25f94c4e282c5f2eb3fb
SHA1fa2d6d0267d8fecf67552131b0fa014036aa463b
SHA256e421453cab593bf06fbfa37cd3f963b8bd053b5c8e070637e894bc6305a41838
SHA5124c5af9cfd2802b76288aa627327fb75d7d5d800a326769f088529b96a3f1e80e6ab3868e7e244d3129efd37ff9135ff5a1134aabac077c51a6f65935dd719912
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.jsFilesize
6KB
MD51984b45f201f1fd79d2154406648433b
SHA142f082dc6d4d43333688690bf4dfa7c7f8b618ab
SHA256000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9
SHA512e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4Filesize
2KB
MD5152146e91b329a6830c6913e242903e7
SHA1d4c7f76b80fe37c78d2e992094bf5d6b4169bf83
SHA256d475a5ca2e8335194099810dab05585325fdea06d47e2e045885a70c66a2bfa3
SHA5125ac9b42d381bdac4f1bef565a84d85be0ae064a8065ceedc5e6a0b48bf64f75a3e802bcdf4d4d07b1ff54fd3313c926c4bce729813d83592aaa41e3d8c643e2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5f1dfada8a831ce2cc5312337d76a3f63
SHA14a2075bc394af14a7e980176049579ea10c15fa3
SHA25608f16dfb820ff0a64d6a26a439beee7ac59035892a08f9656b49786d8d9f5dc6
SHA512d328c8d38fae38430f45672e9d61117e45a7b681146e9c7e8c779edc12040989de1175ce2cbbed6811e8cd13e22663e20f2b11cbf23db038030a8bf96e25b48c
-
C:\Users\Admin\Downloads\Office.exeFilesize
6.6MB
MD52c60a1233a116a21824c4a64836d6259
SHA19abc138d4cad2cd46a5623c33c379712c1b5ea33
SHA25625e3ab0b2dd01b4e9c5c89f67b1764e05185355446c0baf626d6b5fa92265649
SHA512b80f6deb5ab233ecdbd39dde84b47c29fcd08c17a8cc73b8a38ca3a8203b0c6f5f3d23e7f98cbe31a6a0c3a4e82a4475d8642e4386c8c7334514319d1b28c106
-
C:\Users\Admin\Downloads\Office.exeFilesize
6.6MB
MD52c60a1233a116a21824c4a64836d6259
SHA19abc138d4cad2cd46a5623c33c379712c1b5ea33
SHA25625e3ab0b2dd01b4e9c5c89f67b1764e05185355446c0baf626d6b5fa92265649
SHA512b80f6deb5ab233ecdbd39dde84b47c29fcd08c17a8cc73b8a38ca3a8203b0c6f5f3d23e7f98cbe31a6a0c3a4e82a4475d8642e4386c8c7334514319d1b28c106
-
C:\Users\Admin\Downloads\Office.exe:Zone.IdentifierFilesize
98B
MD50190d4457601e1fbc89fa84b4940a56c
SHA122edb60407518d237d0262ddb42a8d845eb0e4f7
SHA256448ba133ddb54c42b143556c9ba0492a9a5a2990b651c0dd8a59f0d145da80ea
SHA512ca5e6709b16e75d81cfb6383ea7cb0547d6da2e3f9d882159bb51662a02887428497fc21ec8cba7b83e2922ac3580b60416a4f9e73ab66ee977cb4bb4e216f2c
-
C:\Users\Admin\Downloads\Office.yxRLBK-z.exe.partFilesize
6.6MB
MD52c60a1233a116a21824c4a64836d6259
SHA19abc138d4cad2cd46a5623c33c379712c1b5ea33
SHA25625e3ab0b2dd01b4e9c5c89f67b1764e05185355446c0baf626d6b5fa92265649
SHA512b80f6deb5ab233ecdbd39dde84b47c29fcd08c17a8cc73b8a38ca3a8203b0c6f5f3d23e7f98cbe31a6a0c3a4e82a4475d8642e4386c8c7334514319d1b28c106
-
memory/5744-816-0x0000000006930000-0x0000000006ED4000-memory.dmpFilesize
5.6MB
-
memory/5744-980-0x0000000006260000-0x0000000006270000-memory.dmpFilesize
64KB
-
memory/5744-768-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/5744-809-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/5744-810-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/5744-817-0x0000000006270000-0x0000000006302000-memory.dmpFilesize
584KB
-
memory/5744-874-0x00000000061E0000-0x00000000061EA000-memory.dmpFilesize
40KB
-
memory/5744-878-0x0000000006260000-0x0000000006270000-memory.dmpFilesize
64KB
-
memory/5744-952-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/6428-1102-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1093-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1091-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1092-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1097-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1098-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1099-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1103-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1100-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/6428-1101-0x0000013AE2900000-0x0000013AE2901000-memory.dmpFilesize
4KB
-
memory/7092-1031-0x0000000006390000-0x00000000063A0000-memory.dmpFilesize
64KB
-
memory/7092-1016-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/7092-1024-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/7092-1030-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/7092-1150-0x0000000000CC0000-0x0000000001EB0000-memory.dmpFilesize
17.9MB
-
memory/7092-1163-0x0000000006390000-0x00000000063A0000-memory.dmpFilesize
64KB