Analysis
-
max time kernel
1798s -
max time network
1807s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-12-2023 22:21
General
-
Target
Quasar.exe
-
Size
1.2MB
-
MD5
12ebf922aa80d13f8887e4c8c5e7be83
-
SHA1
7f87a80513e13efd45175e8f2511c2cd17ff51e8
-
SHA256
43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
-
SHA512
fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275
-
SSDEEP
12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA
Malware Config
Extracted
quasar
1.4.1
Office04
8.8.8.8:4782
515013e8-abbd-44ab-9101-e876186630fd
-
encryption_key
F6DE1467377AA97CD6B82E38020633777CDA2580
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/4992-0-0x000002DC44280000-0x000002DC443B8000-memory.dmp family_quasar behavioral1/memory/2808-454-0x0000025616010000-0x0000025616026000-memory.dmp family_quasar behavioral1/memory/2808-457-0x0000025617970000-0x0000025617980000-memory.dmp family_quasar behavioral1/files/0x000200000002a90a-656.dat family_quasar behavioral1/files/0x000200000002a90a-677.dat family_quasar behavioral1/memory/3388-678-0x0000000000900000-0x0000000000C24000-memory.dmp family_quasar behavioral1/files/0x000300000002a915-685.dat family_quasar behavioral1/files/0x000300000002a915-684.dat family_quasar behavioral1/files/0x000200000002a90a-714.dat family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3388 Client-built.exe 908 Client.exe 2772 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 66003100000000008157fab210005155415341527e312e3100004c0009000400efbe8157eeb28157fab22e000000dca802000000010000000000000000000000000000005b2823015100750061007300610072002000760031002e0034002e00310000001a000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Quasar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 66003100000000008157eeb210005155415341527e312e3100004c0009000400efbe8157eeb28157eeb22e000000dba802000000010000000000000000000000000000001a2317015100750061007300610072002e00760031002e0034002e00310000001a000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Quasar.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3516 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3516 explorer.exe 2808 Quasar.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4992 Quasar.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 2808 Quasar.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 4008 firefox.exe Token: SeDebugPrivilege 3388 Client-built.exe Token: SeDebugPrivilege 908 Client.exe Token: SeDebugPrivilege 2772 Client-built.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 2808 Quasar.exe 908 Client.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 2808 Quasar.exe 908 Client.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 3516 explorer.exe 3516 explorer.exe 2808 Quasar.exe 4008 firefox.exe 4008 firefox.exe 4008 firefox.exe 908 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4284 wrote to memory of 4008 4284 firefox.exe 82 PID 4008 wrote to memory of 2044 4008 firefox.exe 83 PID 4008 wrote to memory of 2044 4008 firefox.exe 83 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 5112 4008 firefox.exe 84 PID 4008 wrote to memory of 2648 4008 firefox.exe 85 PID 4008 wrote to memory of 2648 4008 firefox.exe 85 PID 4008 wrote to memory of 2648 4008 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quasar.exe"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.0.1638458085\1750171200" -parentBuildID 20221007134813 -prefsHandle 1768 -prefMapHandle 1764 -prefsLen 20806 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d081f7-c362-4784-8c3c-3dafbe66a364} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 1868 1ff35116658 gpu3⤵PID:2044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.1.580553069\1454555629" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20842 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa17472-b837-4fac-95a7-562c00b55b41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2244 1ff33efa558 socket3⤵
- Checks processor information in registry
PID:5112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.2.1624495043\176543632" -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2828 -prefsLen 20945 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9896c26e-13f9-4f87-8cf3-4d0d817439d6} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2844 1ff392c6c58 tab3⤵PID:2648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.3.121291919\1092289604" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b422a-6fba-4e66-8aac-35d0ce5befb9} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 3508 1ff27f5e258 tab3⤵PID:4652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.4.870837767\62852592" -childID 3 -isForBrowser -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 26183 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928d66f5-cf09-49aa-97e8-79006b861377} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3b2fa158 tab3⤵PID:4132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.5.807145398\217926177" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dbe736-72b0-4832-bb5c-f07c189ae6e7} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5328 1ff3b2fce58 tab3⤵PID:2176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.6.1116477458\1265926687" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5320 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9661152e-d84b-44e6-8a0d-dae3a7770c41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5288 1ff3b89be58 tab3⤵PID:712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.7.1686810636\328676984" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5688 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4f19dc-e37c-4b17-a85b-153112ed7f45} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5680 1ff3b899158 tab3⤵PID:4908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.8.1807087145\960263319" -childID 7 -isForBrowser -prefsHandle 4860 -prefMapHandle 4752 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e179ae3-6a28-42b6-8e38-145ec0c0876d} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3a315b58 tab3⤵PID:1660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.9.34196916\1330491773" -childID 8 -isForBrowser -prefsHandle 2940 -prefMapHandle 5552 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12f04b91-e66d-4d06-bbec-0a36ff311602} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2928 1ff369f5558 tab3⤵PID:3232
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1164
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2808 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵PID:4688
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3516
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3388 -
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:908
-
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5d9c9dfbaf9485188c56c98097df639a7
SHA1c353f7cdc3f41cefe233e0105e3519f8493cad3e
SHA2567dfda55001da9d98afa0d4e6f7bf9ac43a73b5285dbfc00bbb154c5f17451707
SHA51215e55b1053971765c998b133a8ee2e3ae6bca10744096aeae19d3f14a0d65ac44e73c890db5b69ad2d68b2a2fcc94a160f5decf67c644314ff5112e76b9036b4
-
Filesize
10KB
MD5c7e31533c3344d20e1aadaa068ca6dfa
SHA142cd512b5687ec73f300a587d7634f18f2f81ba4
SHA256c25498aaafd0846c7a3a27fc1081aeb2142e04fb55eaa5106a6f62b6b0a6e496
SHA5121c922bb364e8663708e498e0e4b83f08d45ea39ff048016f7ed823a4824f950c1d87d0a5fcf214eafa9e863c72f39ae422f75a4b32c7d66638704a36313a0630
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD5269c30a6eaf067846eb28bac413675f3
SHA1ffb076c623d65759e6edc48ae39c7514fc8196e5
SHA256adb9798d605a7ae50f03a6bb96307a592df8de1750c15d47307c290663668cf4
SHA512de7c4773fd61c988c6a50112e7ef715a4bb941fb715a31dfd1511f37e01cae7bf95c1c6ba77c8c03b947f24303f39b41b23ce0fc86d022c381940116ee010424
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5039e30a0b330714d0807614f694df66b
SHA1102c4aaf1f8013fc0c95dcdddf40b5e62e5dc808
SHA2560c102c2c417612f4074d50daea4d9607a7dbc3664da9799add81f9b720509fd2
SHA51247bece7633b7d37b944096e427455262d8209020116afc0661de65c5f0ad4fc03cc5d9c0f8d8c130cd8d596701214005ea1b1301f4a9f5f271965f4177bc4a39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\48bf7a9c-ece6-4c4c-b1a0-efd6625e12ab
Filesize10KB
MD5bb8ccd513f71655d03a64fab9915ad63
SHA1ef8cc1078366f63bd4169a8f01ee93efc55a8e78
SHA256b31fb401262df7ddf3fe70e99bfe3389662f08e5b26d3c48de04c08d15bc60dd
SHA512f1924b107827fc0a86147ccc2c87c181934c6a930d6b60d0be91080d45778b8b133c9098c6c2c0b09fd41889b92378d65ddf94de074b13c237ff40fcf2244d13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\998d9740-1270-43da-a5d7-62a1c9e37e84
Filesize746B
MD585b00861af634ad0ac6d81c3bfdbe0ae
SHA1c43577d295fcfce5aa869978f5f08f05dd99089b
SHA2562543a6e0eeda1887818ef34f095019b4a8dda2b8c75c2ea9449f2a5720d8dc5d
SHA512c28a2260c51997142f4755a59641b5652a96ae4e3104382e7abc86f3ef0e8c67ffd39cee801569473d28e72e64f04f1ac6d867953a143d583934413ad7afeb7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD576d53e50c31b2120ebd423103c3e561b
SHA1ed1b259ddafcd538978028b1fc2c34c313dfdd1a
SHA2564b2373a711857af4d679825e340427b190da2d11e3f0a2716955c8f726bfc4fd
SHA51240c0a5c6a7daaa9eeae89a85bb26d89142e5b4682c6b31634b3ea58e92f8d06cd98312a89852bcf80c450f8c6eb1bf9792d25ee6f2829d2c371387af7fe08e82
-
Filesize
7KB
MD59c66695448f68f7614feecf811d88a04
SHA105480a6029c87fc982c2922eccdeeec738b7655a
SHA256198568fa10132130bd1f524e504da188c6b357fff00f85741c5a165bb110552d
SHA5124220888f0b3b7501d45a60a0452edf625f890018222c2f48b4a7d81637ee9b4e9d945933a995f08e4d664608dd42897a5c41c81d90cc12ab4650b4ab9f28e771
-
Filesize
6KB
MD5824d94492ba92109907d934b706ffb97
SHA1f59288571acf5fea2d6a5a8d8f9e3adb84c40768
SHA256e07f8da85168c4714bad01fa91f59d6255b7db0bb3d0f4d08e0a37f6134bedde
SHA51247a0f944b679efb5652b51b1873a02ef07152df68cdad9b34537a9a65a6749ab318c7dce173926e646cb8622eeaeb684c1cba1697f076533598057e4fcfe6afc
-
Filesize
6KB
MD56fea0893c2830a4a79b0a385d06c247f
SHA1d54cc5f08a1f3a7549745a1f0b58f8ab0f2ac5c7
SHA256191505a5b38138aabfe6617d77c4d8381a7cb1763868f280125b36fff599cbae
SHA51287269ae6aad25ae65fb832b3940860938d70deaf20bc4ace08346e59da599afe612fdc798379e54a484f9e9d1896ce7ad88e5d4e22c65ce0c7c7ad8f874dac6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionCheckpoints.json
Filesize259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5de91d28c6a48338fee6fcbf238e5a0b1
SHA148d12bc496fd2d7a93ff5f0f6179f79429b43361
SHA256186c564bb131446ac1d0d8489dd5f43aad6236e57962883a4819e4c96778f402
SHA51248672753aacb52bd5dab994b19ae5b52c332a8e2cbd1b96d440e47b305e70a4e6b30cb45cbf9c44aea009c9f899875813a0dcff38a9615406dfcc91fb5587aa6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD527dae0c42ca1be50b239d3bc56209500
SHA142f25ab6278362a8eba0af43ce84c7b4814ff9d3
SHA2564076ea2c5c3ff2c139f2cf69ba028a95bf6638277290f9b7011175e5bf3d9530
SHA51275aec4f25edf2ea8f593cb74cf9ee10231e6bfddbd8b608be887a0ee9edf545bfb4323b059fae6d722113d0c763e5994e75d0e3379ac9f193436102611390f14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5435b0803f71751307d8003cfb455b959
SHA12878e28039d91fffb05f36d207557a8ebbcae690
SHA256538e73b092760b9252a816e3a51ef883fcf347dbdcc04c87b84982ac4a83e433
SHA51298cb3bf2b31b19ba9f8992c68c148d09dad87f63697d2466021c9ff693d3727ba6e21d2b631714718ced76775790fa27ed2d7d8cba3531fb7fdd5928ce3883cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD53710f8d454b68f692c39ddfa29a6495d
SHA1e0b754d2762d54f70c634ed17be9404ee31ccdd5
SHA2566d143f64b44da8333b68599be56accd33d9b90df42b14643e8069afae7220ee9
SHA512ab697948b3c778cb5082788e37e51e1fe5ae66b00f93660208fc2938cca44c298e415d09fc9c6921123f0e838e1fb674f69f20ca932fa2210d28b0203fd0f7e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5c4773f3bdae089303c176a7ee27eabfe
SHA1b98d40b805f720c732824bb884de9c29063dfe98
SHA256d322ecb4a12f7b4b8a5ff0f358b80b3df8f8c0851eea462067f4477220b68ebc
SHA51261855844c01e01a587df24bc5ab956d1a39119436b3b0f8ed43ddf11dad1b7f559d1d0dce3a3323b64d9d1b517ff726a9b035cc8f374297bb020a0059e1542e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore.jsonlz4
Filesize6KB
MD5a3c3b0ae2fc543f94c0a3b27a3aeba88
SHA160d8f849196c00c2fa43b9f2f06519206e07abf1
SHA2569bf0a11eecb5879022f6814e1600e88b89c12830aee7bfcdcc237043412e395b
SHA5122d6fd0736bc24ad08c77a1fd1cac93c3bef8ca2758bf0e1986ecce987e28879eb3f9c1e25f13915d368c339ff9b6f2935cc4f49df1398fe42106cf6093b238a1
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
Filesize
3.1MB
MD5b0f46a28c528f051ffe5f107e6f7da74
SHA11628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA5126a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7
-
Filesize
3.1MB
MD5b0f46a28c528f051ffe5f107e6f7da74
SHA11628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA5126a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7
-
Filesize
3.1MB
MD5b0f46a28c528f051ffe5f107e6f7da74
SHA11628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA5126a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7
-
Filesize
4KB
MD5fe60f7a00a5a46a06cb58a963cf586f7
SHA12256ade580675cc083f2105f66a49a3914dfdec7
SHA25616fbfdcbbd262715d43e8a6444cc69803b2e38ed7ac69759b69df7af9a401db5
SHA5124ccc44ce6de449bd1f8cf1b7aa7a72724e87377eefda902c4c6d5c039ab248b4b2e7b810ae365c5115ab072894ba86b5ca6b462ad97326d7f7c96db2bc0e683d
-
Filesize
373B
MD5b6af1da05c1a00991f04f8b898cea532
SHA124c48b062d8d864eefd32f2d84a36e1a7282e911
SHA256f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41
SHA5122ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa
-
Filesize
3.1MB
MD5b0f46a28c528f051ffe5f107e6f7da74
SHA11628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA5126a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7
-
Filesize
3.1MB
MD5b0f46a28c528f051ffe5f107e6f7da74
SHA11628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA5126a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7