quasar | 9a91475ffd49c547174f5656fb9731c2de2ff3254b58a63031fc91cc684c4d70

Analysis

max time kernel
252s
max time network
246s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-builtt‮vkm.exe
Size

3.1MB
MD5

bb9deb0d12f32919f0a695b1edf8ab20
SHA1

94ebd418ab45e19116b073c51e89a2399614d5e8
SHA256

9a91475ffd49c547174f5656fb9731c2de2ff3254b58a63031fc91cc684c4d70
SHA512

582e0e0344d472878a79e3f4b982d9a41795b009c55059f082ee8085bb18689454d37e52bff250c001c7be04eb10287088372d64b3fa42048e8cfa3872c4768e
SSDEEP

49152:3vyI22SsaNYfdPBldt698dBcjHEHR39o3oGdRTHHB72eh2NT:3vf22SsaNYfdPBldt6+dBcjHcR39U

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.5:4782

Mutex

f9c55c52-d182-4e6c-9642-b038ea9c4ee1

Attributes

encryption_key
A98D5D4A1C020D24ED471A8CC2D89A28352EB296
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000630000-0x0000000000954000-memory.dmp	family_quasar

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610425731318307"	chrome.exe

Modifies registry class 2 IoCs

Processes:

firefox.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4852	chrome.exe
4852	chrome.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1956 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4852 chrome.exe
4852 chrome.exe
4852 chrome.exe

pid	process
1956	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Client-builtt‮vkm.exechrome.exefirefox.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1288	Client-builtt‮vkm.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeDebugPrivilege	1956	taskmgr.exe
Token: SeSystemProfilePrivilege	1956	taskmgr.exe
Token: SeCreateGlobalPrivilege	1956	taskmgr.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
4852	chrome.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3136 firefox.exe

pid	process
3136	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4852 wrote to memory of 4208	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 4208	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 1976	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 2956	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 2956	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe
PID 4852 wrote to memory of 3692	4852	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-builtt‮vkm.exe
"C:\Users\Admin\AppData\Local\Temp\Client-builtt‮vkm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa4009ab58,0x7ffa4009ab68,0x7ffa4009ab78
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:2
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:1
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:1
2⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1896,i,14926780951958014458,8613684314993936070,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.0.2102645415\602297349" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cd172d-37ea-47c4-a84e-54c326a5676b} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 1876 21a2590d758 gpu
3⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.1.2120776142\640496854" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f31a986b-2727-4503-9ae4-592a22a1b33c} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2452 21a18c85358 socket
3⤵
PID:5392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.2.2136203936\1199090618" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0d9bbce-87b0-4be2-9a7b-a9ae7d11c8a3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3092 21a29885d58 tab
3⤵
PID:5604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.3.1955215113\1058841881" -childID 2 -isForBrowser -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {063c16c4-2e80-49eb-b5d6-d7bf922829ba} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4308 21a2c14e758 tab
3⤵
PID:5848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.4.169943722\904826221" -childID 3 -isForBrowser -prefsHandle 5008 -prefMapHandle 4860 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39064c5e-eda5-4b42-8c09-beebf95a23b0} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5020 21a2db5fe58 tab
3⤵
PID:4012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.5.1966285197\152589570" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85414a62-4a59-41ae-bba5-443e015a6953} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5252 21a2c366b58 tab
3⤵
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.6.893055424\750101673" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19544f46-a2a7-4a3d-a91b-e5534ffc7d59} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5440 21a2dbf5958 tab
3⤵
PID:3016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.7.1756706222\1460797546" -childID 6 -isForBrowser -prefsHandle 6164 -prefMapHandle 6160 -prefsLen 31232 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {deba237a-235d-402f-8700-afeff0903b87} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6172 21a29934558 tab
3⤵
PID:7060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:5144

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4424

C:\Windows\System32\pb7nq5.exe
"C:\Windows\System32\pb7nq5.exe"
1⤵
PID:5336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:6844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
993ce878dd3e44a2d22122cda63ee935

SHA1
0e87a04cbd554c51e6234b9f814f5957e92c9104

SHA256
231d4d14d401a44daa353279659227e089545def3b1018f283f4c4cc5953e0f7

SHA512
78daea7a2894c75a0dbc6fd1e80eb002b2d9cdfeade202f7ad6a48402e578b00697eb448db16aff8b43b4715ebd57673733a06eed4db33a210edcdbddbe518ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
b50a67440cb484926458ae3cbf3f6b25

SHA1
c43531c97079e5877870d76bea6a18176158259e

SHA256
0a846bcae1da1d2b1b3dbbbf720da22d55e1208a525df6708e4b52b72a8c33a7

SHA512
60c82390bb2d0f62833353c708c248f73c9aabbbd7d2cf08441bd5dae38974e8a4b55f816a8b525c12c560900b4cec060c664610235539c3af75533e71f4f80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dc931c2e088c8fc9f822b6c04bed57ed

SHA1
88329409e59e86929f2d249177fe425366140229

SHA256
cd5085bbb8397f390a8930cc69167bebf7c2dd909701538238cc6b494cb62175

SHA512
91c207ae71d85d48cbee4301e136d831f3f7676d335ba760fa299b197a7c96db3208ab3aae26b911679b4395b3dc8e99a2cea0e70fe630e2cdce8a62a18d50cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
7109c364f9500c1a1c6faf8e50058836

SHA1
bf191a263b36d3efe42783c11691ec1e2ec26f96

SHA256
3f67ca49939d839bc6ad646495f8c0bd53fa309ca1519cc767af5f9949395f94

SHA512
9afcad90df60d75076ee58f84effa01a0509ebe3b58600f8d9ae695154000148063d1b3ce6425c80a72e6580c9e5ab4517064bdaba7184d2c0484e9dc5079438

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
48cdfec4da3f265c2ade1ef84f27ff34

SHA1
cc4b0ca7ab20179da6604d2a30495949381c186f

SHA256
e4ae251fd948829f1868b79295033363d3f03d445c273b6dbdbdaf19b42519e3

SHA512
ab3f1963a2ae1d3066b28f09f000fc3efa6cc9f9daf4ac8a74bd415c6e5243aed05a837e1aa9a5a74e6ff33009efa320fbcaf341667f428bf7e48f5067c6347b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\1158B341543196B1FFC5BA8A0B593ABD33165001
Filesize
60KB

MD5
7d6c71bd92219473feed745d6c82e882

SHA1
4a31ec010474515c9aef3480a7a763988afd62d3

SHA256
176d545e68c151b1945f003419dde4bb89b1d62d4d235ba1fc297714dbff39b6

SHA512
3bf2820c3b30b88283c7cc3db30b7bb6d8f4f0e5da3d72e1479f83d3d11864e560d07c797ebcab2b5bc0ba287ca5fcc7cb28ceb24686f27ee2114ec4931fd72e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
Filesize
13KB

MD5
0fe3ffa42cb83e5ea1b09329d71705a4

SHA1
a3c55a52b60f40075d252a40c9f950b15d81df7e

SHA256
fe0b1917efb1ca9f7cbd9e3c7ff87fef8585d6fb656fad89269dd664c5ac7711

SHA512
c4d04bf3fe56f000860235043323bc80a8f892a059124e827862999521c558efd1d6c7537625fbb58d0f98bc2b9c918bce27a8d742c43f466d8af8c7c82357e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
10KB

MD5
5ed076a32b039eba75ef20d03271aa4f

SHA1
9f88290f5105c4159dbaf6ba30500c2ee682e362

SHA256
bfb59f7495927fbacddf46b04783cc9b351edf531604c9b45cf219ab4f25fb9e

SHA512
aedca89ddf6dd4603f9fc06b8844c4d19d4a2bb1d122060500c2972bfdc3d4e7cc8253ae2b38d3591b9732567611a39605ab0b95496ed45aa8e91dc3de517407

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
7KB

MD5
21eb712cdc977cff13a002429606d8de

SHA1
76be34549758770195c7021a070c3185902b3182

SHA256
2b4ab7a23275d318bfbc18b8d98ffc98975598d716a04e4cfc63092a749c25d5

SHA512
3c2b33c1afa51f2756ad98a9f49dff97e0cf8ee6438819e6b2bd194fe63cb63c02012a6ae0d7ed637289e0e98fd2a3eacfd65db3c1d0f58eea9846ab8c6482c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
8KB

MD5
4cb26bca977490453f753f0fa3a91b1e

SHA1
da0ecfa42396911f2cee42aff6d1c2632d35a700

SHA256
db0a8c50744307e62c75d4908ffaf188d5f779f81c279d1245be01985e2f4fb5

SHA512
e44faea2cf3e762791956bd1d9deb14096542d1703b3bb7b4bbdf9dc7b475a896ce60b2f10aea39605e4653708f300d7469eb479eedc71042c89ee42187ec663

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
Filesize
6KB

MD5
c3cf6fd208fee74dcb3819f9984376e1

SHA1
de0b644f9ee5bc3c26e70b4238be46fb5a12e780

SHA256
250b9a037be0eb87d378a1cab811c4f2223c47077c07ddc3836dd570f7307800

SHA512
90f43a9462cb88fe1a60e5a20d7ee40f0e876d5ba2f2ed07f0842bbafe79c586bc9d7477a38468dfd482c6f03a03cfbd234c74f6a91a6ed232f7675fede3d2eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b1879e16c52158dd45a2a65c7c64281c

SHA1
53334a78e65bf4cf7100b813e054c7fcb9939f81

SHA256
975f6f61993ae1c11c85da85eb44c469864613f99dc4a30c8d747815bf17230e

SHA512
7b63dc7b52cd21fc142d38f94c9f94235e7b047f99adefa7701adcb24c487e9c7d868bd1bfe59f07589412b4f16f5c6b0e6085ba22795d4e48c290d63361a191

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
349a7611e5208d5dbb69a3e1bdbade2a

SHA1
cd4621751bca4d41b1f21e6b82e05b393b9a599c

SHA256
1c2e13563b2e98ba02c261e8ed55018e4241a4c55b0b12b3f72ddefc0e1ac749

SHA512
d37cf02fedfca24938bc1afd0244288367ea4a4211d2a9875755da38bd33282953654acdabe112c54ce5cbc5830942940a16c9aa3e3e4b8c186b88b5993e699b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
7f9fd1a524afc493cced42da98752bbd

SHA1
b1488bb0c453bcfe9577295c436181dc827ed56e

SHA256
20f640215b52810071e66179f370a7f738051ac7df6ceb7e01e0f086d3af41ed

SHA512
53089535eeca241ad0a17ec09a26c9141d2d462a6717be531addd8e3e447b17c24a48ab02e6a8b106333cba6503fa8220a8b40fec4d06a318822354394d721b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
4a79c9fd0a99e29efd94a878b555a123

SHA1
a25e892923d846442049d871ceab57090f2000cf

SHA256
b167de219c33da96da250d11cc87bb09b1872be22c3ba887d3d2e267aa52681c

SHA512
0fce54a88698356b42d9b1be5d01e7d1b9bf51549c11ea09723f8fca60fa7d16384666a1a631d04ef530384a7991e8ad2a7b33765580b9f673f91032c867d58c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
e5aa6539c11c13f101a629be92332fb1

SHA1
1dc0d3c59a988d0b76018afac5cda50606134ca5

SHA256
0f1531b1adcb08d1ab59348d65a1ab13422dd7c504d9243bc83935da197da87c

SHA512
7751d6d877d1cefe2df6c473ee10861580ad21258f727d3d8d5cd6cb65860a32dd2f6af3c78dab96038505e28bcbc63c383b17925b34c48e7a33683525bf939e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
513eff08c581b59c9ee737d677c662a8

SHA1
a0d79f6a1092c47f31a05f6df01134b21ccd3f8e

SHA256
695887347d82eca94326e05827c5d6aa8ac7e26cfdf31f27b4cb115a9f5177b4

SHA512
da3c20c63938b911de308e7051b43cca6f7751d8a529ffcf20537d34eb4ddb1ad1e8cbb5b7205a31f558ca78de9d07b08f2f5ea0ca4f07864b05bc1af7f4c468

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b953f978559b643e00e27080d7dd2d8c

SHA1
9c01ac31fdffcde838cc6a70e6898f71acfe2edf

SHA256
2a2fc979c246cd6ad991ab86607839f93b4315dab08aa2c9359efe05e4e4a07a

SHA512
ff76925df030426696aa0dc5e87eee72f750e4d81ee262375497d677b87b60fe7b38eaadf855f106c12f9c2c2c7a18d230e3014d78058bbd7838aeda63f59a99

Download Submit
\??\pipe\crashpad_4852_WIKSXLBXATXICAPL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1288-191-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1288-0-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp

Filesize
8KB

Download
memory/1288-1-0x0000000000630000-0x0000000000954000-memory.dmp

Filesize
3.1MB

Download
memory/1288-177-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp

Filesize
8KB

Download
memory/1288-2-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-2202-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2208-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2207-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2209-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2211-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2212-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2213-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2210-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2201-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download
memory/1956-2203-0x000001E0BEEA0000-0x000001E0BEEA1000-memory.dmp

Filesize
4KB

Download