quasar | 54ecf97fe6dc81aca8e7f68df713edebfd020c0eff68a1919bef11bd32136dcd

Analysis

max time kernel
146s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-11-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

3a96e758409eeabc8836a8665980e01b
SHA1

50f6950089a997ccdac2c0790f4745bb84792a32
SHA256

54ecf97fe6dc81aca8e7f68df713edebfd020c0eff68a1919bef11bd32136dcd
SHA512

f07548c69a5280fbac5fa28c1cad876fe0329757990b6f04200f8d1ab2f30a87cfdb784d2cb3364d72b2538360200c79582a22d094bd5165890876b8003807c8
SSDEEP

49152:Sv2I22SsaNYfdPBldt698dBcjHgNxNESEbk/iOLoGdbTHHB72eh2NT:Svb22SsaNYfdPBldt6+dBcjHCxqw

Score

10^/10

quasar office04 spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Inversin-43597.portmap.host:43597

Mutex

80329fd2-f063-4b06-9c7e-8dbc6278c2a3

Attributes

encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3100-1-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/files/0x00280000000450c2-3.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
1488	Client.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
272	schtasks.exe
4380	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Client-built.exeClient.exefirefox.exe

description	pid	Process
Token: SeDebugPrivilege	3100	Client-built.exe
Token: SeDebugPrivilege	1488	Client.exe
Token: SeDebugPrivilege	3424	firefox.exe
Token: SeDebugPrivilege	3424	firefox.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

Client.exefirefox.exe

pid	Process
1488	Client.exe
1488	Client.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
1488	Client.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

Client.exefirefox.exe

pid	Process
1488	Client.exe
1488	Client.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
1488	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid	Process
3424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 3100 wrote to memory of 272	3100	Client-built.exe	85
PID 3100 wrote to memory of 272	3100	Client-built.exe	85
PID 3100 wrote to memory of 1488	3100	Client-built.exe	87
PID 3100 wrote to memory of 1488	3100	Client-built.exe	87
PID 1488 wrote to memory of 4380	1488	Client.exe	88
PID 1488 wrote to memory of 4380	1488	Client.exe	88
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 2060 wrote to memory of 3424	2060	firefox.exe	101
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 880	3424	firefox.exe	102
PID 3424 wrote to memory of 4756	3424	firefox.exe	103
PID 3424 wrote to memory of 4756	3424	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:272
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {787c6473-d063-4d98-acfd-f2b37caa4eb1} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" gpu
    3⤵
    PID:880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c81274e0-f5ec-4fa6-992a-b262833ab36c} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" socket
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 2756 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f08feb-353e-4fa6-8c5b-b0e94b01ba8f} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d3c4d45-c425-4cb7-b6ac-ff1795d9c3e7} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:4600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 29145 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc149b63-d21a-49f6-b4e2-616ef9d42809} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" utility
    3⤵
    - Checks processor information in registry
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5240 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1593f995-d8bb-4600-ba91-5b3ff3b4048f} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83b4bd8d-4335-4e73-978b-eaf3c1498000} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51fc8b39-4fcd-4072-8f12-357f1391c8da} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:5688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6060 -prefsLen 28302 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a053456-eb4f-465c-8023-35772883c54d} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab
    3⤵
    PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
7ed2538d1af2bcfdc786029acb05b9d9

SHA1
5f239ffa46f6a3320cccfd08d84499a3300a8db5

SHA256
34df14c83507f2069b4ab98faf05aa94434e5d54cc743a347425275304d438c6

SHA512
3fa2daa824984a93a49ecfe364eb1361f2c9043f4a5b7ee054d7193e005189b17dcfcb6cedfe648d75134d4672ce22bf1dca4f3fab22f77fc8f7ac8e075ff54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
6KB

MD5
dbef5bf0a1eb4aac7b66ebad2b9ed804

SHA1
b7066718f238d27a9df52e171a2496b79deb627e

SHA256
7274e2c6e70e4297fbb43d4ab01bc6ca6bb888227233f0940d265b7a62eafb73

SHA512
f51e253c5e111f53da82a786d5c3a8be08c08f44bf985c3b9b083bad74fd3aa029c27ce84bd35d4768a8c5266d53027cd68eae3fcffc1aa4fb11902252400b72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
8KB

MD5
aecd66a1fc35ddcd25416537fea46f32

SHA1
40343226ed86c3093cb4bf31e5c85e44651d9e6b

SHA256
bdfc2512c94367433e921b65194c4c68a5325f12049e932d08d232f9a9c9bfbf

SHA512
2f1f2c8e99c1e696756e4fc415e4b890863ee7f02337efd171c1e842f2f1041f4035b6798e1ba15a69686fa4d137a75799192612cd72765346f1e7b5e741b5d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
897beece243c8b36d41a090b94d34d59

SHA1
793f52d26137797d6b297765d736d7ea2ff99489

SHA256
cdb52b36054a63ec6ebd00eb244ad1afc357dd53e25866c647ade2842dae5f29

SHA512
ef3d6dc33fa87b52a499a6873054ff3323224acd5be04a838ba6e3e2c84c793373c9a77d8db20c94a1152163a9127352d719f8ccf3b126bbc48a295c8db87841

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ae75b8af2c0adef24e259a4e3054c903

SHA1
5977dab7106968e07c44f82fb134fd7e9fb7d744

SHA256
2b0c8a09d5298d03c75bddde4fe8300e8711b0c4e800325b263672ffb03adebd

SHA512
f75ecaaee28e3819fe53a212768428d2fac7a9d37fd0982c407511213ffe942df4e542acf0c8a26cd33db37675001b66d32b337e4def1816c1b7b7a4f9a674ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
5816546c7b7023cb6771b56bcec1a3e6

SHA1
8e68274da29cf390618ce3bc9973de249c67e019

SHA256
67cf3a0bbb8dc1f3965b34ce4c3f958e047ce9f86c01453372444648e7439728

SHA512
71f440e9f1261ff9ec36e77d5d183e68ff0c08fe352253545b03aca51927202dfafecbca09a8ce45bdab99a62fb1fc4824c38d535b728c1e32c64c0cdc458270

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
125f8525d638949df7b665ef3e92a116

SHA1
510a6e6fbad85691f07bff330c9dcb1b1d34e98f

SHA256
bbbb0ffecf70ee6c3e39d93770fa9d5da57f484ce44bfa57f6824913b670bfd1

SHA512
a81ad2d9c62d5ee131cabfa9fa3ec487f16834c975bd9a1abaa4898d4eb1c28889586243149495cd532ee2abed0309d30f54d8ba7d2d2b1b795ea330d56bcab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fa5a7d453d80cfda6eb7bbbb70c05e57

SHA1
11931722d044717b96895bf6d5accfa403b93077

SHA256
55077acff0cff63c5682536267b0b536f863bf8cc59a79a8cd77e7f87fd68534

SHA512
bcad7a26e9eef7beb18eb6097745bab123b3efd9ce4f18b44425a3f2c05f028fcb53d2349a994565c98b00ad4606e95323d862fdd45a2e19cf5f01b73e9e4afe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\003d97e6-accc-4e10-87b7-d21a94405c41

Filesize
982B

MD5
04ccad8f2b2ca60b269b900791dad15b

SHA1
247e6702ee516e011e7d28f62049deb30e15e8f1

SHA256
a349e69b8c360721953f27d8f5b6e30d718ff2d76e6ee119cd0ce122080a5c41

SHA512
3319efe397b886775ffaa7ba4e91e8a6036f8de402a00a2e912d23b4a1b331c6d2dd531ef5cc13b3b8e4b54902e754d305106e91814e83c2752cbd0a9075ad72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\9caa5aaf-99d3-456a-8984-96f5f8401879

Filesize
26KB

MD5
e8c50a295e0951095bf1158990311c37

SHA1
1431a2035562cfceeeccff3148e6f8aa86981d29

SHA256
aa0e47809682dbe643709e6dffbf247cd09063675f866f6354262c025c2c3c5b

SHA512
d1d2ee8f7d35500a7e00606ec97d0da00d195003d89e27ca0b2b1355382ac5aea491919c23f1c3fbb15a94112c9a2bc3cc5190a7ea77750fd51d454b7bf5982d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\c153631a-3b0b-4621-81fb-893869679717

Filesize
671B

MD5
f8944f0a027b68fc4a3b63a131b18dc1

SHA1
3d0b46f8c735435a33a3b86a95f7d6c0cbeedc8b

SHA256
92b54212c9f2301ab064366ace2dd827932f96fd60b4c3d707a8af1a347b643e

SHA512
1f87c926231313c6132056cfd069eb0c21915eb18a8838cf3cb773d950cfba4db7bf2b2404848b4e911be9062a0e32b61200d4586d70c94d5d8e1a0ff00ff89f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
11KB

MD5
4742e9826cfe3d818d6d34cd467d7e55

SHA1
ded2341a25231fb652d20f84f815f4dab928ac87

SHA256
3842d1a759b497bfaa0cd9c305bf8058b986cdfa5d0cb18f6b3ddb5ed6f3f0c1

SHA512
18cc78e86854491dd268a3e0590e7eee8195cfa1fb1c8f55f5a7d5800c3f06a3e06e623ca7f281c6a25855b06398b0e6d1c6218a83c145075fca6c06a15fffd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
8de8f8092686db67efd952e77bfc92ff

SHA1
d618e8378268e56b0fd675c188f1e051119f2c14

SHA256
b85f47dde5f2587d57b88360446a30c14f0c40c9594f0ce5331c4522779d9ddf

SHA512
e881bc5b3156127e48e39a380749324ea40577c42ada34a979cba96e393a46b19d38f4b997d1c53be993f74030244d0d77f964137e4eda59cf800b27dec7eb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
5b81868ce325142439d732208cf761ec

SHA1
33a3fb15aa1601dc2e378cee691a440419ddbaa9

SHA256
511a9657488f77b22cb346af69e941734bd7a87ccd876dafb34e20e6929fb382

SHA512
331c5e08e30350c8d5ffb8be84b57700c1e94192ea0e75c85c26afc9f6aac76ba2d70f867e7fb287ac8d84711b2bad8d3f5244fe410474f2d87dbad9dfc7c005

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
25ffa329839a9ce92eac63b3dbd8d27a

SHA1
dd0a544dc5793f3acb7bfce78712e078ebc6ae1d

SHA256
675f44e4a5898ecd95ea857403acc8f84cc1964f23af8c15e1b82f0409ba0b2f

SHA512
cb74368e29eb6b6602b178377d6e6e42d5b6561a768cbe989fc93c3709e9e466b0848cd0c794389543477f7306eb2f546de26b782bb6bc84c8dc991108ec914c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9d920bcc461fad737fcced5bf9872bfd

SHA1
46911d37bc13c62dd2711e4b0b512e77d706a838

SHA256
8f2ca2daa840b4b1e0e8110f7d86e42802c7e6196d54d33ffaeb4e3eee3c151e

SHA512
be0b4f7c2016aea0d799079ff917303cec8f3131d9d2f18796560ce6c2cf293ede389a632890a591b6649e5a737b0d38d07838a0f4e94efafebdff1cf5c0ccd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5bfd10ec27315663a532e129c23c232c

SHA1
9d0f8fd4c3e0b9d2d61ef1b33c0c174e5cf77732

SHA256
1786504cc8070d136e849bd050b73692b45562408dd7ee2ea905a1ccb2b9467c

SHA512
6b98b60704c882ec69aa5dce13b7c7e60173051c139c82343539a12e171cae9f3785f3f70d5f0f5f630e0928338663b24bd9c3da562b0ca897d6b5d782ceb2aa

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3a96e758409eeabc8836a8665980e01b

SHA1
50f6950089a997ccdac2c0790f4745bb84792a32

SHA256
54ecf97fe6dc81aca8e7f68df713edebfd020c0eff68a1919bef11bd32136dcd

SHA512
f07548c69a5280fbac5fa28c1cad876fe0329757990b6f04200f8d1ab2f30a87cfdb784d2cb3364d72b2538360200c79582a22d094bd5165890876b8003807c8

Download Submit
memory/1488-13-0x000000001D3A0000-0x000000001D3B2000-memory.dmp

Filesize
72KB

Download
memory/1488-8-0x000000001D350000-0x000000001D3A0000-memory.dmp

Filesize
320KB

Download
memory/1488-9-0x000000001D460000-0x000000001D512000-memory.dmp

Filesize
712KB

Download
memory/1488-15-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-10-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-14-0x000000001D400000-0x000000001D43C000-memory.dmp

Filesize
240KB

Download
memory/1488-5-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-7-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-2-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download
memory/3100-1-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/3100-0-0x00007FFCC9803000-0x00007FFCC9805000-memory.dmp

Filesize
8KB

Download
memory/3100-6-0x00007FFCC9800000-0x00007FFCCA2C2000-memory.dmp

Filesize
10.8MB

Download