quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
299s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (22) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

11 ip-api.com
24 api.ipify.org
39 ip-api.com
4672 schtasks.exe

flow	ioc
11	ip-api.com
24	api.ipify.org
39	ip-api.com
4672	schtasks.exe

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral30/memory/2352-1-0x0000000000C90000-0x0000000000CFC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exePG1PpuSJtFlx.exe

pid process

3192 Client.exe
4408 PG1PpuSJtFlx.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
39 ip-api.com
11 ip-api.com

flow	ioc
24	api.ipify.org
39	ip-api.com
11	ip-api.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

4672 schtasks.exe
2156 SCHTASKS.exe
4932 schtasks.exe
5848 SCHTASKS.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings firefox.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

4436 NOTEPAD.EXE
1592 NOTEPAD.EXE

pid	process
4672	schtasks.exe
2156	SCHTASKS.exe
4932	schtasks.exe
5848	SCHTASKS.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Uni - Copy (22) - Copy.exeClient.exeAUDIODG.EXEfirefox.exe

description	pid	process
Token: SeDebugPrivilege	2352	Uni - Copy (22) - Copy.exe
Token: SeDebugPrivilege	3192	Client.exe
Token: 33	3420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3420	AUDIODG.EXE
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

NOTEPAD.EXEfirefox.exe

pid	process
4436	NOTEPAD.EXE
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

firefox.exe

pid	process
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Client.exePG1PpuSJtFlx.exefirefox.exe

pid	process
3192	Client.exe
4408	PG1PpuSJtFlx.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (22) - Copy.exeClient.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2352 wrote to memory of 4672	2352	Uni - Copy (22) - Copy.exe	schtasks.exe
PID 2352 wrote to memory of 4672	2352	Uni - Copy (22) - Copy.exe	schtasks.exe
PID 2352 wrote to memory of 4672	2352	Uni - Copy (22) - Copy.exe	schtasks.exe
PID 2352 wrote to memory of 3192	2352	Uni - Copy (22) - Copy.exe	Client.exe
PID 2352 wrote to memory of 3192	2352	Uni - Copy (22) - Copy.exe	Client.exe
PID 2352 wrote to memory of 3192	2352	Uni - Copy (22) - Copy.exe	Client.exe
PID 2352 wrote to memory of 2156	2352	Uni - Copy (22) - Copy.exe	SCHTASKS.exe
PID 2352 wrote to memory of 2156	2352	Uni - Copy (22) - Copy.exe	SCHTASKS.exe
PID 2352 wrote to memory of 2156	2352	Uni - Copy (22) - Copy.exe	SCHTASKS.exe
PID 3192 wrote to memory of 4932	3192	Client.exe	schtasks.exe
PID 3192 wrote to memory of 4932	3192	Client.exe	schtasks.exe
PID 3192 wrote to memory of 4932	3192	Client.exe	schtasks.exe
PID 3192 wrote to memory of 4408	3192	Client.exe	PG1PpuSJtFlx.exe
PID 3192 wrote to memory of 4408	3192	Client.exe	PG1PpuSJtFlx.exe
PID 3192 wrote to memory of 4408	3192	Client.exe	PG1PpuSJtFlx.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 4420 wrote to memory of 5108	4420	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4752	5108	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (22) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (22) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (22) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:4672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4932

C:\Users\Admin\AppData\Local\Temp\PG1PpuSJtFlx.exe
"C:\Users\Admin\AppData\Local\Temp\PG1PpuSJtFlx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5848

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (22) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (22) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitBackup.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.333123358\590276782" -parentBuildID 20230214051806 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bc336e4-9bf8-4682-bedb-f8c6a06d7dc8} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1796 19cc770a958 gpu
3⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.366404275\1535802878" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def104cb-8b68-44b5-8662-ae42bcfabeef} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2404 19cba985958 socket
3⤵
PID:1680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1535185926\2014863759" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e812e6c8-09fb-4aa8-aae5-6fb28c667275} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3304 19cc9cf2858 tab
3⤵
PID:4260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.1267017989\715257124" -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {178d0457-b1d5-4baf-9d5b-b230cda77ef6} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3772 19ccc6b9e58 tab
3⤵
PID:4196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.631469874\1435996892" -childID 3 -isForBrowser -prefsHandle 4656 -prefMapHandle 4588 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71ac42a9-96c4-4666-b641-9d8a4e406ccb} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4572 19cceb9d058 tab
3⤵
PID:4180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1821283656\1014796937" -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5316 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5726d78-988f-4f2a-a381-34ad2db75f4d} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5292 19cceb9d958 tab
3⤵
PID:3992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.415817225\513626748" -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {378bbf71-f068-4c1f-84c6-abae38ed9847} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5472 19cceb9e258 tab
3⤵
PID:3904

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AssertReceive.css
1⤵
- Opens file in notepad (likely ransom note)
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
c63b139eb3a14cbbe6a29687a9eb16aa

SHA1
19c861ce85b48f80f032a1c34333a5345b7bf55d

SHA256
8e5dbf5f8443d9d9f04022dc791e82b26ab7705a7ec140858bf74d6b092c3fa3

SHA512
6d70f04f4e94b0741def5e4dcc30e1542a633e8626d8660bcffa51fd355c6148224d1c26eb0d2b53ef88e23629f7804550e4250d169f0dbc859b4e1b3c849029

Download Submit
C:\Users\Admin\AppData\Local\Temp\PG1PpuSJtFlx.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
7KB

MD5
c84ea93c22d7b69fec71249a093989e2

SHA1
4084cfac785859dd6b2f1e9959a04011f49d78cf

SHA256
770444d790e9e58f53c7a1a71b414cfbc78973173bfa7493839973d7ef39c518

SHA512
9b0ead1e4cd5ea82aa473d1299ef58bd3e7c4f6d5d4b8a851c6576649a6dc9edbb1ce9b22418228b4d4d713156e5e72c33b76f06d7a1e0b497edf073fa712a25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
7KB

MD5
54d99693ee5ed8567c992165965a5736

SHA1
ac238a9f63823712f9c17c1c034afb426c756c0b

SHA256
faafdd14b14e250266634abc0e8fd5cd5f6a8ca20e958ae72b38a79f06bd7ae9

SHA512
df876423721b7ce6d3169c82629473e5cab0d9067add5a98fdf5b1de472f671ba61c0e83fd52e2c3dcd4efad5bea191a610c0e57a1fab272beda58b7ed089ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
Filesize
6KB

MD5
3f01c1d1db5c2569ee51601725efdfde

SHA1
97229797885e969d210c5a9e21cdc5dcc86fed51

SHA256
0c53375a436d00dbc6368afbf1c43d786d88603ab7b5d3f0096fe2a8f3e30568

SHA512
9fb9f831a1258fbd96297bb76b7e9557652c89d30d2af23dc55eb348280e14c67283f48fabdb7940c584c9d79f3fdf1e036363ea08049bc9dae5eacc30a805e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
Filesize
6KB

MD5
f455dc9ef9abae9b35c09bcefd7ab35d

SHA1
c432877314c67c395367bf39caf857281efa7bff

SHA256
691a353a361b77527cb7c02a5ebf1771df13c48e1bd5290b4524a3b7290e1c3c

SHA512
127a1d2c3aae7789060a6fdf08ac4e2457d91ce5ad9134c9fc1db36ea987e9e10063462134b2b977eca7c463e72a68e0eccf97f8c216b63d692327b53d326744

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
Filesize
7KB

MD5
cd787b7c03f95c61bcd17012e87e08c4

SHA1
f05ae22f8e5783c220e65c94f796ba880ad07cb7

SHA256
b9722b12f2743d05980341797f177df781afa16dbca3a99d543c4f9c72415e67

SHA512
13f1b2de7e7861354244dc1e8f68daf5947590f14df149d7f34dd9f83d35ff07fa057eaaa52b79fc97ff85d9f19950e81d67469f86b4977c1b71b3dd87b3b5bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
023fadb194665512942835d62697812b

SHA1
4f89a817f7bf9b50a4a2a6580695337c37f87319

SHA256
ccda868371119021ba562d77709c790bad2211c22e6373414b528d94f13e048d

SHA512
a855b42b67c3a13ee22d51275c27aae2c602f1155b73ddaf67409af8db62602a363a87edc0f22ff076abf7e3ffc47100404ddcd65085d18c2a55fd795ee0af2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f6659b1398ff5b53cfdc5553f0d98a8b

SHA1
bed5cd213679e445d85a6bf4ed8bac968bbbab00

SHA256
f16149ea6566012ac00307189c39c13ef5dfc84b9d8482386aadf2095201c6ff

SHA512
a94f63dcf4052fc45e4f19fe5356c51b0b41f907f9138dd990294ca1eea4aa9d9a7952c1a92608e1a43340cab1c37c756ccdf06c38dc874055ed8e832ad09e6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
5eac87c99df72821f9b0abee91c34908

SHA1
78a03491b3e91808de9d1a435f3840d747069631

SHA256
d9423bb1985eaf7b7e06eff9a8aa6d974e1b5e81fe4f8bfb94f32ba3046634c3

SHA512
c09399cbf996e39b69692f327405f712bbf685ca14f2399f18f7b842f2b58baa77ad60c9667eb34753b8b96126e9ea7835fa3cd563e0a13b58ee45f81ff18715

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
db63e3efa269eea897325c259fc081bc

SHA1
d58ef6333815bbe60125ad610ec3e9ae3c03c5f0

SHA256
8a0973f6053d8bece376512ff5bd708d94650113415875eee3b8dcb837e85953

SHA512
d223bbddaecd9bc3988da61575a12cb3d1e5bbd21d9e22e6803bdb211349629d3b9a489920e851a302b6a422282ca3378dbd31b6c1be234e620658bd041e1d83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
c3a2f2886e5a55371f6aa9496e0ecc6b

SHA1
3e1824c2bb22333e620f55a9d641b4ec5c8e385f

SHA256
8188f68b99a062033b3a9f469f49b611352864e2377c9cb425091e2e028f8922

SHA512
16314f1113126049b06d3817592ea9b4c76d87a39ce2e9f61a848bbdb03a0ecef87f19cff24ab2ebf3be3e5122a585cf96486de2476a20e7add211246480b91a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d65b4435cbe8fdc684c65f6d22ab5c22

SHA1
2de7a3212cda5650c2c1b97d529678a3f137db5a

SHA256
5058a4aabf8e2c744e37a06ec8c099729803b264f344120a71bc2e5b279bafe3

SHA512
9879efe882b655267ca2a8768e73d28602d17e49dad99427b288e55ff8902fa35f1b9cb1b637e7c0b7687fe353b430a66f51c3af8dba4009c8b0c5e1f37c2cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
53f05e91adb1a39c0cd416fd09b0b719

SHA1
8bec1d94b48e7ed21ff9ada2aa704bf82fd06eae

SHA256
7e3137756ff3d19be5409b1dc9770e19b8aaa6c7f684843513b3025012269748

SHA512
bf03c2519c4e59dd150268adc8d8b374e708440b29321b3ea4820927bc2bf1833513c173865ed784a2a45167ec3a2185489f05ea646385b695df27eff9f12d59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a9d43a6e64de974e55e74206a95510b8

SHA1
4938c9ac70ebbd13ff65b75dc93d30b3c9946181

SHA256
168994db1ac696d7f2d2332c32d0d0d7827adbdb15c8587eb6790e0b1ed14b7a

SHA512
cb48031aa559a453f05b2df1fc04d462e8c460782891de5e78c1483da1389c6e8df79fb60def52d1b4a4326fedd8027fe3a2972a5908a0258eae344cc924a9dd

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2352-6-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/2352-1-0x0000000000C90000-0x0000000000CFC000-memory.dmp

Filesize
432KB

Download
memory/2352-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/2352-3-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2352-15-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2352-4-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2352-5-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/2352-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/3192-12-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3192-175-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3192-20-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3192-13-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3192-17-0x0000000006C20000-0x0000000006C2A000-memory.dmp

Filesize
40KB

Download
memory/3192-18-0x00000000065E0000-0x000000000661C000-memory.dmp

Filesize
240KB

Download
memory/3192-19-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download