Resubmissions

16/08/2023, 10:13

230816-l87h8aca2t 10

16/08/2023, 09:32

230816-lhxlbsbg91 10

Analysis

  • max time kernel
    647s
  • max time network
    656s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-de
  • resource tags

    arch:x64arch:x86image:win10-20230703-delocale:de-deos:windows10-1703-x64systemwindows
  • submitted
    16/08/2023, 10:13

Errors

Reason
Machine shutdown

General

  • Target

    test.exe

  • Size

    3.1MB

  • MD5

    eecdbc78d76691a6be6cecc14a09968e

  • SHA1

    01cbea73481a01dfcbf5e84abb060d2915e4684c

  • SHA256

    781ecb1f7366bf4ae82fc447898d1ec82f49a48787dff6b0bfb9a0f69e85c354

  • SHA512

    1460dea51eef202616ce842586e3c0e4b561cdaf8cdc974a2a5a2cb5c6a0d64e4e592f0c2803aa8dfba9392f07d41573802fad5bc8a48c6cf1b8651cc1d849c6

  • SSDEEP

    49152:GHl592AYawl1WPOl6NVtRkJ0xEEmxR16cbRi+oGdhTHHB72eh2NT:GH/92AYawl1WPOl6NVLkJ0xEEgR16w

Malware Config

Extracted

Family

quasar

Version

1.0

Botnet

Office

C2

7.tcp.eu.ngrok.io:11273

Mutex

f66b5493-61eb-4d81-92bf-7cdd5011ca71

Attributes
  • encryption_key

    5C8FA74B508E07066B897AA659A1D34132B54635

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    1

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:4968
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.0.1769095693\525875252" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afd20bd9-0c85-48aa-b6cd-f58a7227f202} 208 "\\.\pipe\gecko-crash-server-pipe.208" 1764 2528e0d6858 gpu
        3⤵
          PID:1756
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.1.1194289044\294948057" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c952efa5-ec74-4451-9429-043bcab51eb9} 208 "\\.\pipe\gecko-crash-server-pipe.208" 2120 2528dc30e58 socket
          3⤵
            PID:3488
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.2.1503346409\210400" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3048 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbb5d6aa-fda0-4847-8ee7-2dcd4f3a375f} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3024 252922ec858 tab
            3⤵
              PID:4460
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.3.367339332\2099748522" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3428 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1084ca98-c997-423c-ac63-0b573753ee14} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3452 25290b37358 tab
              3⤵
                PID:1720
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.4.162576551\1317084216" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3dfdd95-195a-4c0c-aecd-79e23ef93ad6} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3772 25283161c58 tab
                3⤵
                  PID:364
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.5.162110592\1421143292" -childID 4 -isForBrowser -prefsHandle 4628 -prefMapHandle 4656 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3b687b3-21b6-49a2-85fd-bbbf3babd4b1} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4716 25290b37c58 tab
                  3⤵
                    PID:4320
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.7.570236312\1121716462" -childID 6 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0892161b-3f1f-49ec-a13d-2b4ad03ae819} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4716 252946ca358 tab
                    3⤵
                      PID:2312
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.6.101298466\1734529498" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 4880 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30d79a2-0769-4e76-8144-e04810e15fb1} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4868 252946cb858 tab
                      3⤵
                        PID:2744
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    1⤵
                      PID:2440
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                        2⤵
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:4936
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.0.1413823450\1891986387" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dc0b0c4-f414-4e89-bdf9-f8079d1b1c7d} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 1764 17b146d6558 gpu
                          3⤵
                            PID:3236
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.1.511606937\2011904631" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {552b8e95-0eb9-4ce4-965d-deeb7897decc} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 2120 17b0956f858 socket
                            3⤵
                              PID:4792
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.2.1028359774\1704020351" -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3248 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce420ae-1339-45ad-aeb5-68bcbae3172a} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 2792 17b185d0558 tab
                              3⤵
                                PID:4696
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.3.434948343\1253193167" -childID 2 -isForBrowser -prefsHandle 1004 -prefMapHandle 972 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80ee9c82-294d-4983-b5fc-6d0205481d50} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 3780 17b09562b58 tab
                                3⤵
                                  PID:3376
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.4.1300884846\426975889" -childID 3 -isForBrowser -prefsHandle 4296 -prefMapHandle 4288 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5224694c-a39c-4af6-8da6-a27457ba11a6} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4312 17b1a79f258 tab
                                  3⤵
                                    PID:1244
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.5.1449651103\1629294679" -childID 4 -isForBrowser -prefsHandle 4708 -prefMapHandle 4744 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d390c0eb-b126-49de-a3f6-da88b4c88946} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4724 17b197be458 tab
                                    3⤵
                                      PID:860
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.6.1920493624\2040117799" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {051436a1-cd42-4049-a001-ea2a0396c1f4} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4964 17b197bf358 tab
                                      3⤵
                                        PID:2320
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4936.7.1105210350\1699018455" -childID 6 -isForBrowser -prefsHandle 4688 -prefMapHandle 4648 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30d72dcb-7649-4110-a482-354d138ed5be} 4936 "\\.\pipe\gecko-crash-server-pipe.4936" 4852 17b1a79fe58 tab
                                        3⤵
                                          PID:2780
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:4656
                                      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
                                        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\SubmitStep.xlt"
                                        1⤵
                                        • Suspicious behavior: AddClipboardFormatListener
                                        • Suspicious use of SetWindowsHookEx
                                        PID:208
                                      • C:\Windows\system32\LogonUI.exe
                                        "LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d
                                        1⤵
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2952

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json

                                              Filesize

                                              150KB

                                              MD5

                                              fcf5c7d2400f1bee48933205a70fef1a

                                              SHA1

                                              b7fdc6a64188edc9ebb67c02d8d46e13799d0da5

                                              SHA256

                                              9356caed9848ff6f5beb42402b04beb83238c13212efd5e507b8cdd7a8162084

                                              SHA512

                                              c83fb559a023027435683e189116455ddf33152aaa3de968a53a8ab5fec6ca374c2fe0bb6caed51c50c78bdc171e188b98b2827882df9bc5a6713f058681f095

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json.tmp

                                              Filesize

                                              150KB

                                              MD5

                                              fcf5c7d2400f1bee48933205a70fef1a

                                              SHA1

                                              b7fdc6a64188edc9ebb67c02d8d46e13799d0da5

                                              SHA256

                                              9356caed9848ff6f5beb42402b04beb83238c13212efd5e507b8cdd7a8162084

                                              SHA512

                                              c83fb559a023027435683e189116455ddf33152aaa3de968a53a8ab5fec6ca374c2fe0bb6caed51c50c78bdc171e188b98b2827882df9bc5a6713f058681f095

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

                                              Filesize

                                              14KB

                                              MD5

                                              cb075adfcb82f3ae4c195e690068166d

                                              SHA1

                                              86a06b70b04e659793023acba29141df7355a232

                                              SHA256

                                              d1b9677e52ea062883619acfa84b2f6f30a1a996a2ce57e69430f36389930c8f

                                              SHA512

                                              30e574ea1d25c23c1fad91516fefe893624c0adc39c620c4e991203af25032a4fe0f936ffd10e607d134da396b8b439c21fa8eec9e0642ae1e123dc05a13fd37

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

                                              Filesize

                                              9KB

                                              MD5

                                              f86cfa7ff661197e3981ce19574758fc

                                              SHA1

                                              8b6cf87908d88975d1cbba435d11268ed1772a62

                                              SHA256

                                              5596b869a647830766fcc5874a565c70590a2fc80ebd8d50e4cb37055a88fcb2

                                              SHA512

                                              74d64e426cc2bca45628d85ecb3a49a503043cecc4c329750a89a197da3b0d14a7da3c7019fb301508c60a92be000d33fb1ab42763be62970d4757a4b5405dc8

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

                                              Filesize

                                              9KB

                                              MD5

                                              7bfd85d0318421ea730ce9d3bc60029b

                                              SHA1

                                              561d94d3adb89a9d6d32d26ea7a8b183e36a78d2

                                              SHA256

                                              81a86ea7ef3a9005a5d74c3bd7bbee91ee12273f267f37168cef77eb03877d00

                                              SHA512

                                              baf824823fd8d92c17af051431028ac44c44462d8d9c960643b3e31f5c8141af5d19a949825cb62f58ae16c7b7210bd3d589e4cabf24b50d8ca0c61fe69397ac

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\startupCache\scriptCache-child.bin

                                              Filesize

                                              464KB

                                              MD5

                                              b1c0b3951a7abee30fb0ab72941beba3

                                              SHA1

                                              3d996cedee1d6eb87d144f8e220d41740978247e

                                              SHA256

                                              41edcec5320de0978c90cc2563ad07fd3e1e39b00be164ec27a299885b71299f

                                              SHA512

                                              dc2f9b4b5e4a81d9537d47372763b7570e8dee1b25e80131548ad816c8823424e9e2e298975932ea2d36e680922312cab5e65ee6c5715ba078a4c28d11b8829f

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\startupCache\urlCache.bin

                                              Filesize

                                              2KB

                                              MD5

                                              1fa3d6b00e8aa8f8d55f611abf82093b

                                              SHA1

                                              4ada2cc332923850d06972a2abf1108e89c54af8

                                              SHA256

                                              e9d208c0c02474d49986a3304ce9f9183e6632ae3cd23250a148c774a2863c87

                                              SHA512

                                              3d741ae0d7a713e1d00faabd83b5e86289cdfb14d28e430f2b235b8780a4a7fb45bbb91ef1068a8fa3a1af17fb27a589eaf6019989f5a0541af0cca8550680af

                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                              Filesize

                                              442KB

                                              MD5

                                              85430baed3398695717b0263807cf97c

                                              SHA1

                                              fffbee923cea216f50fce5d54219a188a5100f41

                                              SHA256

                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                              SHA512

                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                              Filesize

                                              257B

                                              MD5

                                              27766d11f17795d46a68795d9531d594

                                              SHA1

                                              25f5021b53f0adb8909f0f7f5903af44f1ebdd03

                                              SHA256

                                              bb334b5073915f8a77a66f1bf9f59cc6cd95b88bcdba37a7959961d278663a18

                                              SHA512

                                              5ba19a04d579864b6cad1c2f45cd1f67350bb86814516dfd2596691eb5a4b35b81cc9f9a1c421915d7e8e0295ef9c2909202e1e0786a10e1de9c5e88c618c729

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\glean\db\data.safe.bin

                                              Filesize

                                              182B

                                              MD5

                                              63b1bb87284efe954e1c3ae390e7ee44

                                              SHA1

                                              75b297779e1e2a8009276dd8df4507eb57e4e179

                                              SHA256

                                              b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

                                              SHA512

                                              f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\glean\db\data.safe.bin

                                              Filesize

                                              182B

                                              MD5

                                              63b1bb87284efe954e1c3ae390e7ee44

                                              SHA1

                                              75b297779e1e2a8009276dd8df4507eb57e4e179

                                              SHA256

                                              b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

                                              SHA512

                                              f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\datareporting\session-state.json

                                              Filesize

                                              161B

                                              MD5

                                              b3975ccb085e6bd4bff124807f1f6ad3

                                              SHA1

                                              5ff9352c6a2275046c0b0da22d4284800def2ea0

                                              SHA256

                                              61a603d24e4ddb9d2d7a7b404c5b14896c84fa2b88f0bc7a848f864c545296ce

                                              SHA512

                                              63df8d9a6af8d7ca3407ec1ff87956bf324f403acf6309fa6eadd5c40937358970376d06842210d268c30659740272fa0a55f1bbec242fcb23559cd5c23b6ad8

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

                                              Filesize

                                              997KB

                                              MD5

                                              fe3355639648c417e8307c6d051e3e37

                                              SHA1

                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                              SHA256

                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                              SHA512

                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

                                              Filesize

                                              116B

                                              MD5

                                              3d33cdc0b3d281e67dd52e14435dd04f

                                              SHA1

                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                              SHA256

                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                              SHA512

                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

                                              Filesize

                                              6KB

                                              MD5

                                              5523a610bbfb66c2d4a58c3f28732937

                                              SHA1

                                              2362dc6457f6413ad8180eab35e9fcb440321577

                                              SHA256

                                              e287895ddcdcf9fb2d808e200022058b0692bd68b58f6a5f3aa5b0cbbe5d7f27

                                              SHA512

                                              ed7a14608eab78a9c5eb29671dc03d5a1b1cbd73075258d90497e56aec2784d3b8e0104c74af1ab83539d657957e89e1ce6d4a95a092281ce140d7a8dd654d3d

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

                                              Filesize

                                              7KB

                                              MD5

                                              43cc207942adcef7c5ea07d3a031d484

                                              SHA1

                                              bdae079e547ee878c22592b42ec5ab8b7c58f4a0

                                              SHA256

                                              1ea2c42c9924ae0c2594c8b260dd981987956ce49443d5c1b148aeaed9a05b9f

                                              SHA512

                                              c59fbb9963757657c96ba6dd1822312da423809947f6d2eb87183df7b16e6c656224c6dc37c30dbee3207b60ed505e3fbda2faeeeb5c05375cc71cdfb293bd10

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

                                              Filesize

                                              7KB

                                              MD5

                                              c2d4e250cd7a6aa834c5cb69b6301e86

                                              SHA1

                                              66c2103b8538e9d34712b0acaea3e8af9ab2a604

                                              SHA256

                                              4b59ebc97555ee0cec0531ad192ef99add527fc5fcf92371acae095f051eda2d

                                              SHA512

                                              72625eaa4eb8152396769fccfe12027c42f572b290d5b0cfd8db181a78a56aec87117735e507be154d6d8ed206418a946611e86eab3e307e94d48f5032810a7f

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

                                              Filesize

                                              7KB

                                              MD5

                                              e292e07c0aaceac299f0bd98a1d004fa

                                              SHA1

                                              c9548323533467bdffdd5424f2163e22406c5136

                                              SHA256

                                              3e4339804c6c75b467d00d74972eb7cbc9f272497948fcd4838d33bda85dc994

                                              SHA512

                                              efc7c8e65eb8217d6327a8636c887ade2aa8025f65b64cbf25eb2b22165b9a79791f2d2a71fcbd88b3a50da8b9d25a643c49bf52c5ce144a2fd3138a4aad130b

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs.js

                                              Filesize

                                              7KB

                                              MD5

                                              185fd0ed8fd796bb50f98518b59cc789

                                              SHA1

                                              b2e4dba350ab3a2579d323ec843b04a078e0dea9

                                              SHA256

                                              3637f7e85787c701d474d47f7db663440a00d30dcaaa9ce32d64f0ea29931ed8

                                              SHA512

                                              6ae3f29c24e9ec5d185fd62830480488abd1e2dc8228cdc0aed6fffb03da6614026ee2447c36ec7db58c0d87bb79de85e7ceb3b6d563640f1426205ed44441cc

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs.js

                                              Filesize

                                              6KB

                                              MD5

                                              00e76249f8a1a2f8f6950eaf87cf6b89

                                              SHA1

                                              a51dd0545f26a746196cb650a4f0aaaf605d7c96

                                              SHA256

                                              873c86032dc0ee33cd660cba82f6fde8634baff80f79588e1725ee75116f5add

                                              SHA512

                                              4f8c2125910b73423bbb53a780a211e3055b074cb7ac9e88fe74db6bc8ab253322fd96f2474ac2835be4957bf0084e9543b062e4738ca6764b4888a832bfb9cd

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\protections.sqlite

                                              Filesize

                                              64KB

                                              MD5

                                              49397db0486dc59d607907a086f40c9b

                                              SHA1

                                              08742ce9db9569062def08e99eea8470702feb7d

                                              SHA256

                                              890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

                                              SHA512

                                              fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json

                                              Filesize

                                              288B

                                              MD5

                                              e08ef355498ae2c73e75f5a7e60eada5

                                              SHA1

                                              c98b5ab80782513f6e72d95ab070e1ed7626c576

                                              SHA256

                                              d1a98a30522d1bf882574df5ed2793bba5c4fdf0381788babea0846f6946745c

                                              SHA512

                                              a0550e83ecd1cf632b4e54bf43744ee9f7c0a8dfcf9a043e018c00d4ca0bba606cfcaaa469b204e7c9dffec1f79b91e16cd4f1c94ff512c45d3dd25b7174e859

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp

                                              Filesize

                                              122B

                                              MD5

                                              99601438ae1349b653fcd00278943f90

                                              SHA1

                                              8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

                                              SHA256

                                              72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

                                              SHA512

                                              ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp

                                              Filesize

                                              90B

                                              MD5

                                              c4ab2ee59ca41b6d6a6ea911f35bdc00

                                              SHA1

                                              5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                              SHA256

                                              00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                              SHA512

                                              71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp

                                              Filesize

                                              259B

                                              MD5

                                              c8dc58eff0c029d381a67f5dca34a913

                                              SHA1

                                              3576807e793473bcbd3cf7d664b83948e3ec8f2d

                                              SHA256

                                              4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                                              SHA512

                                              b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json.tmp

                                              Filesize

                                              53B

                                              MD5

                                              ea8b62857dfdbd3d0be7d7e4a954ec9a

                                              SHA1

                                              b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                              SHA256

                                              792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                              SHA512

                                              076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4

                                              Filesize

                                              1KB

                                              MD5

                                              b2d25afc20aa49453935561f6fef77a7

                                              SHA1

                                              bbc3cf3f2cf1421b845afd057e158db9ef049f5b

                                              SHA256

                                              d6a171589f38f5c71ff6a1a6c4f059b3b8ca19312d152ec12e3529b3f31f34b5

                                              SHA512

                                              eba9cd88576ca33bc06d53df958d10949174b4c5c3ee84b252f95006881f5e5ca5e1d6daa3ef73ae189f31c2ed81f5efde1073159c0323b35cd7e0ea9afd5959

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4

                                              Filesize

                                              883B

                                              MD5

                                              69aacfde0de086e3f7b7ea6bcce1107a

                                              SHA1

                                              b584397321dff457f51190d18f3188b2a3a365ec

                                              SHA256

                                              ce6c214f924092216ecf61125c432db71c5a9770d210940a3f2313326322df5e

                                              SHA512

                                              8f2ef8e138f1babaf01f6cf7964fd6b07716716100c7fdb1c637ea973b7fc7ca084defd7bad1fdd0166f97696280f744349ef2a3e21adcfd6294a8f9798f3ade

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4

                                              Filesize

                                              883B

                                              MD5

                                              69aacfde0de086e3f7b7ea6bcce1107a

                                              SHA1

                                              b584397321dff457f51190d18f3188b2a3a365ec

                                              SHA256

                                              ce6c214f924092216ecf61125c432db71c5a9770d210940a3f2313326322df5e

                                              SHA512

                                              8f2ef8e138f1babaf01f6cf7964fd6b07716716100c7fdb1c637ea973b7fc7ca084defd7bad1fdd0166f97696280f744349ef2a3e21adcfd6294a8f9798f3ade

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4

                                              Filesize

                                              853B

                                              MD5

                                              4c3b19090d9a45dee42f414bd9caa046

                                              SHA1

                                              4e1e62aa13a26844498611af5c9f18f5bb70fe5d

                                              SHA256

                                              553cccf12d43365fdd55c6d7d2a57179ccb32bc5369de62cabbe559b033b9362

                                              SHA512

                                              274301b0e635cf5535e4a41ae9233c3b874c42fe9cf52691e1a8475a608b2981485d940d84f33fee773a20d0e1e72c5815c204d2241566cea4509bddd0c76ff9

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

                                              Filesize

                                              48KB

                                              MD5

                                              bc599f77a10c3966af802ed338fe4dd9

                                              SHA1

                                              4cd4db1484b716ce6cd0761fe782390f1c954352

                                              SHA256

                                              c1feabd5bf4c9860dabbbbf48150d22ee71ed35115ebd1223306a2e4b3906401

                                              SHA512

                                              7d922be7406851d3bb84478e78136dac2409086fb072383240d1de0c08b4ad524be653d0bfa220e52ebfd4b5839b0c43f3b40e5a444fd393ddc28851a92dcd6e

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\xulstore.json

                                              Filesize

                                              120B

                                              MD5

                                              05e1ddb4298be4c948c3ae839859c3e9

                                              SHA1

                                              ea9195602eeed8d06644026809e07b3ad29335e5

                                              SHA256

                                              1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

                                              SHA512

                                              3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

                                            • memory/208-344-0x00007FFB1DD10000-0x00007FFB1DD20000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-375-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-596-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-542-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-541-0x00007FFB5D4D0000-0x00007FFB5D57E000-memory.dmp

                                              Filesize

                                              696KB

                                            • memory/208-345-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-346-0x00007FFB1DD10000-0x00007FFB1DD20000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-347-0x00007FFB1DD10000-0x00007FFB1DD20000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-348-0x00007FFB1DD10000-0x00007FFB1DD20000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-349-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-352-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-353-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-357-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-362-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-361-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-363-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-366-0x00007FFB1A370000-0x00007FFB1A380000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-367-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-368-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-370-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-374-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-540-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-373-0x00007FFB1A370000-0x00007FFB1A380000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/208-372-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-371-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-369-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-365-0x00007FFB5D4D0000-0x00007FFB5D57E000-memory.dmp

                                              Filesize

                                              696KB

                                            • memory/208-364-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-539-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/208-538-0x00007FFB5DC80000-0x00007FFB5DE5B000-memory.dmp

                                              Filesize

                                              1.9MB

                                            • memory/4968-126-0x000000001BE60000-0x000000001BE9E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/4968-129-0x00000000014D0000-0x00000000014E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4968-117-0x0000000000B00000-0x0000000000E24000-memory.dmp

                                              Filesize

                                              3.1MB

                                            • memory/4968-127-0x000000001D050000-0x000000001D09A000-memory.dmp

                                              Filesize

                                              296KB

                                            • memory/4968-125-0x000000001BE00000-0x000000001BE12000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4968-124-0x000000001CDF0000-0x000000001CEF4000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/4968-121-0x000000001BEC0000-0x000000001BF72000-memory.dmp

                                              Filesize

                                              712KB

                                            • memory/4968-567-0x00007FFB4FE00000-0x00007FFB507EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/4968-120-0x0000000003150000-0x00000000031A0000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/4968-119-0x00000000014D0000-0x00000000014E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4968-118-0x00007FFB4FE00000-0x00007FFB507EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/4968-128-0x00007FFB4FE00000-0x00007FFB507EC000-memory.dmp

                                              Filesize

                                              9.9MB