Malware Analysis Report

2025-01-18 04:25

Sample ID 231201-1947tage82
Target Quasar.exe
SHA256 43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

Threat Level: Known bad

The file Quasar.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 22:21

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 22:21

Reported

2023-12-01 22:52

Platform

win11-20231128-en

Max time kernel

1798s

Max time network

1807s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 66003100000000008157fab210005155415341527e312e3100004c0009000400efbe8157eeb28157fab22e000000dca802000000010000000000000000000000000000005b2823015100750061007300610072002000760031002e0034002e00310000001a000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "4" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 66003100000000008157eeb210005155415341527e312e3100004c0009000400efbe8157eeb28157eeb22e000000dba802000000010000000000000000000000000000001a2317015100750061007300610072002e00760031002e0034002e00310000001a000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quasar.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4284 wrote to memory of 4008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 5112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 2648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 2648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4008 wrote to memory of 2648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Quasar.exe

"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.0.1638458085\1750171200" -parentBuildID 20221007134813 -prefsHandle 1768 -prefMapHandle 1764 -prefsLen 20806 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d081f7-c362-4784-8c3c-3dafbe66a364} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 1868 1ff35116658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.1.580553069\1454555629" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20842 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa17472-b837-4fac-95a7-562c00b55b41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2244 1ff33efa558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.2.1624495043\176543632" -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2828 -prefsLen 20945 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9896c26e-13f9-4f87-8cf3-4d0d817439d6} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2844 1ff392c6c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.3.121291919\1092289604" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b422a-6fba-4e66-8aac-35d0ce5befb9} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 3508 1ff27f5e258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.4.870837767\62852592" -childID 3 -isForBrowser -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 26183 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928d66f5-cf09-49aa-97e8-79006b861377} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3b2fa158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.5.807145398\217926177" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dbe736-72b0-4832-bb5c-f07c189ae6e7} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5328 1ff3b2fce58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.6.1116477458\1265926687" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5320 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9661152e-d84b-44e6-8a0d-dae3a7770c41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5288 1ff3b89be58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.7.1686810636\328676984" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5688 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4f19dc-e37c-4b17-a85b-153112ed7f45} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5680 1ff3b899158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.8.1807087145\960263319" -childID 7 -isForBrowser -prefsHandle 4860 -prefMapHandle 4752 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e179ae3-6a28-42b6-8e38-145ec0c0876d} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3a315b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.9.34196916\1330491773" -childID 8 -isForBrowser -prefsHandle 2940 -prefMapHandle 5552 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12f04b91-e66d-4d06-bbec-0a36ff311602} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2928 1ff369f5558 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe

"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.218.220.89:443 shavar.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:49743 tcp
N/A 127.0.0.1:49749 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 142.251.39.99:443 id.google.com tcp
NL 142.251.39.99:443 id.google.com udp
DE 172.217.23.206:443 plus.l.google.com tcp
DE 172.217.23.206:443 plus.l.google.com udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
NL 142.250.179.132:443 t1.gstatic.com tcp
NL 142.250.179.132:443 t1.gstatic.com tcp
NL 142.250.179.132:443 t1.gstatic.com tcp
NL 142.251.39.100:443 t2.gstatic.com tcp
NL 142.250.179.132:443 t1.gstatic.com tcp
US 8.8.8.8:53 132.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
DE 140.82.121.3:443 github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
DE 2.22.61.56:80 ciscobinary.openh264.org tcp
GB 216.58.208.110:443 redirector.gvt1.com tcp
GB 216.58.208.110:443 redirector.gvt1.com udp
NL 74.125.8.73:443 r4.sn-5hneknee.gvt1.com tcp
NL 74.125.8.73:443 r4.sn-5hneknee.gvt1.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp
US 8.8.8.8:4782 tcp

Files

memory/4992-0-0x000002DC44280000-0x000002DC443B8000-memory.dmp

memory/4992-1-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp

memory/4992-2-0x000002DC5EC00000-0x000002DC5EC10000-memory.dmp

memory/4992-3-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\db\data.safe.bin

MD5 039e30a0b330714d0807614f694df66b
SHA1 102c4aaf1f8013fc0c95dcdddf40b5e62e5dc808
SHA256 0c102c2c417612f4074d50daea4d9607a7dbc3664da9799add81f9b720509fd2
SHA512 47bece7633b7d37b944096e427455262d8209020116afc0661de65c5f0ad4fc03cc5d9c0f8d8c130cd8d596701214005ea1b1301f4a9f5f271965f4177bc4a39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\998d9740-1270-43da-a5d7-62a1c9e37e84

MD5 85b00861af634ad0ac6d81c3bfdbe0ae
SHA1 c43577d295fcfce5aa869978f5f08f05dd99089b
SHA256 2543a6e0eeda1887818ef34f095019b4a8dda2b8c75c2ea9449f2a5720d8dc5d
SHA512 c28a2260c51997142f4755a59641b5652a96ae4e3104382e7abc86f3ef0e8c67ffd39cee801569473d28e72e64f04f1ac6d867953a143d583934413ad7afeb7c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\48bf7a9c-ece6-4c4c-b1a0-efd6625e12ab

MD5 bb8ccd513f71655d03a64fab9915ad63
SHA1 ef8cc1078366f63bd4169a8f01ee93efc55a8e78
SHA256 b31fb401262df7ddf3fe70e99bfe3389662f08e5b26d3c48de04c08d15bc60dd
SHA512 f1924b107827fc0a86147ccc2c87c181934c6a930d6b60d0be91080d45778b8b133c9098c6c2c0b09fd41889b92378d65ddf94de074b13c237ff40fcf2244d13

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\activity-stream.discovery_stream.json.tmp

MD5 d9c9dfbaf9485188c56c98097df639a7
SHA1 c353f7cdc3f41cefe233e0105e3519f8493cad3e
SHA256 7dfda55001da9d98afa0d4e6f7bf9ac43a73b5285dbfc00bbb154c5f17451707
SHA512 15e55b1053971765c998b133a8ee2e3ae6bca10744096aeae19d3f14a0d65ac44e73c890db5b69ad2d68b2a2fcc94a160f5decf67c644314ff5112e76b9036b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

MD5 824d94492ba92109907d934b706ffb97
SHA1 f59288571acf5fea2d6a5a8d8f9e3adb84c40768
SHA256 e07f8da85168c4714bad01fa91f59d6255b7db0bb3d0f4d08e0a37f6134bedde
SHA512 47a0f944b679efb5652b51b1873a02ef07152df68cdad9b34537a9a65a6749ab318c7dce173926e646cb8622eeaeb684c1cba1697f076533598057e4fcfe6afc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 435b0803f71751307d8003cfb455b959
SHA1 2878e28039d91fffb05f36d207557a8ebbcae690
SHA256 538e73b092760b9252a816e3a51ef883fcf347dbdcc04c87b84982ac4a83e433
SHA512 98cb3bf2b31b19ba9f8992c68c148d09dad87f63697d2466021c9ff693d3727ba6e21d2b631714718ced76775790fa27ed2d7d8cba3531fb7fdd5928ce3883cb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\cache2\doomed\4722

MD5 c7e31533c3344d20e1aadaa068ca6dfa
SHA1 42cd512b5687ec73f300a587d7634f18f2f81ba4
SHA256 c25498aaafd0846c7a3a27fc1081aeb2142e04fb55eaa5106a6f62b6b0a6e496
SHA512 1c922bb364e8663708e498e0e4b83f08d45ea39ff048016f7ed823a4824f950c1d87d0a5fcf214eafa9e863c72f39ae422f75a4b32c7d66638704a36313a0630

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 de91d28c6a48338fee6fcbf238e5a0b1
SHA1 48d12bc496fd2d7a93ff5f0f6179f79429b43361
SHA256 186c564bb131446ac1d0d8489dd5f43aad6236e57962883a4819e4c96778f402
SHA512 48672753aacb52bd5dab994b19ae5b52c332a8e2cbd1b96d440e47b305e70a4e6b30cb45cbf9c44aea009c9f899875813a0dcff38a9615406dfcc91fb5587aa6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

MD5 6fea0893c2830a4a79b0a385d06c247f
SHA1 d54cc5f08a1f3a7549745a1f0b58f8ab0f2ac5c7
SHA256 191505a5b38138aabfe6617d77c4d8381a7cb1763868f280125b36fff599cbae
SHA512 87269ae6aad25ae65fb832b3940860938d70deaf20bc4ace08346e59da599afe612fdc798379e54a484f9e9d1896ce7ad88e5d4e22c65ce0c7c7ad8f874dac6b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3710f8d454b68f692c39ddfa29a6495d
SHA1 e0b754d2762d54f70c634ed17be9404ee31ccdd5
SHA256 6d143f64b44da8333b68599be56accd33d9b90df42b14643e8069afae7220ee9
SHA512 ab697948b3c778cb5082788e37e51e1fe5ae66b00f93660208fc2938cca44c298e415d09fc9c6921123f0e838e1fb674f69f20ca932fa2210d28b0203fd0f7e9

C:\Users\Admin\Downloads\Quasar.TQSwQMy3.v1.4.1.zip.part

MD5 13aa4bf4f5ed1ac503c69470b1ede5c1
SHA1 c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA256 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512 767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 27dae0c42ca1be50b239d3bc56209500
SHA1 42f25ab6278362a8eba0af43ce84c7b4814ff9d3
SHA256 4076ea2c5c3ff2c139f2cf69ba028a95bf6638277290f9b7011175e5bf3d9530
SHA512 75aec4f25edf2ea8f593cb74cf9ee10231e6bfddbd8b608be887a0ee9edf545bfb4323b059fae6d722113d0c763e5994e75d0e3379ac9f193436102611390f14

memory/2808-453-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

memory/2808-454-0x0000025616010000-0x0000025616026000-memory.dmp

memory/2808-455-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-456-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-457-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-458-0x0000025617970000-0x0000025617980000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c4773f3bdae089303c176a7ee27eabfe
SHA1 b98d40b805f720c732824bb884de9c29063dfe98
SHA256 d322ecb4a12f7b4b8a5ff0f358b80b3df8f8c0851eea462067f4477220b68ebc
SHA512 61855844c01e01a587df24bc5ab956d1a39119436b3b0f8ed43ddf11dad1b7f559d1d0dce3a3323b64d9d1b517ff726a9b035cc8f374297bb020a0059e1542e4

memory/2808-467-0x0000025632AD0000-0x0000025632DFE000-memory.dmp

memory/2808-471-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

MD5 fe60f7a00a5a46a06cb58a963cf586f7
SHA1 2256ade580675cc083f2105f66a49a3914dfdec7
SHA256 16fbfdcbbd262715d43e8a6444cc69803b2e38ed7ac69759b69df7af9a401db5
SHA512 4ccc44ce6de449bd1f8cf1b7aa7a72724e87377eefda902c4c6d5c039ab248b4b2e7b810ae365c5115ab072894ba86b5ca6b462ad97326d7f7c96db2bc0e683d

memory/2808-488-0x0000025630D70000-0x0000025630D88000-memory.dmp

memory/2808-489-0x0000025630DE0000-0x0000025630E30000-memory.dmp

memory/2808-490-0x00000256326C0000-0x0000025632772000-memory.dmp

memory/2808-491-0x0000025630E30000-0x0000025630E7C000-memory.dmp

memory/2808-500-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-502-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-501-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-503-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-513-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-521-0x0000025617970000-0x0000025617980000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 269c30a6eaf067846eb28bac413675f3
SHA1 ffb076c623d65759e6edc48ae39c7514fc8196e5
SHA256 adb9798d605a7ae50f03a6bb96307a592df8de1750c15d47307c290663668cf4
SHA512 de7c4773fd61c988c6a50112e7ef715a4bb941fb715a31dfd1511f37e01cae7bf95c1c6ba77c8c03b947f24303f39b41b23ce0fc86d022c381940116ee010424

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

MD5 76d53e50c31b2120ebd423103c3e561b
SHA1 ed1b259ddafcd538978028b1fc2c34c313dfdd1a
SHA256 4b2373a711857af4d679825e340427b190da2d11e3f0a2716955c8f726bfc4fd
SHA512 40c0a5c6a7daaa9eeae89a85bb26d89142e5b4682c6b31634b3ea58e92f8d06cd98312a89852bcf80c450f8c6eb1bf9792d25ee6f2829d2c371387af7fe08e82

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2808-634-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-635-0x0000025617970000-0x0000025617980000-memory.dmp

memory/2808-637-0x00000256361B0000-0x00000256361CA000-memory.dmp

memory/2808-636-0x0000025636690000-0x00000256366EE000-memory.dmp

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

MD5 b0f46a28c528f051ffe5f107e6f7da74
SHA1 1628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256 be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA512 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

MD5 b0f46a28c528f051ffe5f107e6f7da74
SHA1 1628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256 be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA512 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

memory/3388-679-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

memory/3388-678-0x0000000000900000-0x0000000000C24000-memory.dmp

memory/3388-680-0x000000001B980000-0x000000001B990000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 b0f46a28c528f051ffe5f107e6f7da74
SHA1 1628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256 be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA512 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

C:\Windows\System32\SubDir\Client.exe

MD5 b0f46a28c528f051ffe5f107e6f7da74
SHA1 1628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256 be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA512 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

memory/3388-686-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

memory/908-687-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

memory/908-688-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/908-694-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

MD5 b6af1da05c1a00991f04f8b898cea532
SHA1 24c48b062d8d864eefd32f2d84a36e1a7282e911
SHA256 f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41
SHA512 2ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

MD5 b0f46a28c528f051ffe5f107e6f7da74
SHA1 1628f7ce1fd30af121e253b4799f1b0bb742cb38
SHA256 be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660
SHA512 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/2772-716-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

memory/2772-717-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/2772-718-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore.jsonlz4

MD5 a3c3b0ae2fc543f94c0a3b27a3aeba88
SHA1 60d8f849196c00c2fa43b9f2f06519206e07abf1
SHA256 9bf0a11eecb5879022f6814e1600e88b89c12830aee7bfcdcc237043412e395b
SHA512 2d6fd0736bc24ad08c77a1fd1cac93c3bef8ca2758bf0e1986ecce987e28879eb3f9c1e25f13915d368c339ff9b6f2935cc4f49df1398fe42106cf6093b238a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionCheckpoints.json

MD5 700fe59d2eb10b8cd28525fcc46bc0cc
SHA1 339badf0e1eba5332bff317d7cf8a41d5860390d
SHA256 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA512 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

MD5 9c66695448f68f7614feecf811d88a04
SHA1 05480a6029c87fc982c2922eccdeeec738b7655a
SHA256 198568fa10132130bd1f524e504da188c6b357fff00f85741c5a165bb110552d
SHA512 4220888f0b3b7501d45a60a0452edf625f890018222c2f48b4a7d81637ee9b4e9d945933a995f08e4d664608dd42897a5c41c81d90cc12ab4650b4ab9f28e771

memory/908-795-0x000000001C7A0000-0x000000001CCC8000-memory.dmp