quasar | 5fccda50065844a012e1425d3d9d60b608c6d5dc07514d32d04b1c55a1eade36

Analysis

max time kernel
63s
max time network
70s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-11-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PC_Booster.exe
Size

3.1MB
MD5

81d8571af28e42e2bbe60b5118173da6
SHA1

a826876a268bb7ebcf67b050707ff8a8e05ee6ef
SHA256

5fccda50065844a012e1425d3d9d60b608c6d5dc07514d32d04b1c55a1eade36
SHA512

b6f2dc77b046e4577a996495a6a5589f6ea263e61570ff362f2fb3386dc2b5c80c63ee6ab0678b36e1e11f7a3e46a9c5ed2cf33a5fb523e6afaed0f5a38da347
SSDEEP

49152:KvyI22SsaNYfdPBldt698dBcjHF9rwmCPLoGZB3voTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHF9rQ

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.18:4782

Mutex

4d099eab-30e3-4c3b-bf50-bf77e2e70e0f

Attributes

encryption_key
04E6B8EB331AA0F74187E430ADEDBC1B79B631E4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3332-1-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4120 Client.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

65 icanhazip.com
67 icanhazip.com
68 icanhazip.com

pid	process
4120	Client.exe

flow	ioc
65	icanhazip.com
67	icanhazip.com
68	icanhazip.com

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2300 schtasks.exe
2788 schtasks.exe

pid	process
2300	schtasks.exe
2788	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PC_Booster.exeClient.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	3332	PC_Booster.exe
Token: SeDebugPrivilege	4120	Client.exe
Token: SeDebugPrivilege	732	firefox.exe
Token: SeDebugPrivilege	732	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe
732	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exefirefox.exe

pid process

4120 Client.exe
732 firefox.exe

pid	process
4120	Client.exe
732	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PC_Booster.exeClient.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3332 wrote to memory of 2300	3332	PC_Booster.exe	schtasks.exe
PID 3332 wrote to memory of 2300	3332	PC_Booster.exe	schtasks.exe
PID 3332 wrote to memory of 4120	3332	PC_Booster.exe	Client.exe
PID 3332 wrote to memory of 4120	3332	PC_Booster.exe	Client.exe
PID 4120 wrote to memory of 2788	4120	Client.exe	schtasks.exe
PID 4120 wrote to memory of 2788	4120	Client.exe	schtasks.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 4016 wrote to memory of 732	4016	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 4396	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 192	732	firefox.exe	firefox.exe
PID 732 wrote to memory of 192	732	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PC_Booster.exe
"C:\Users\Admin\AppData\Local\Temp\PC_Booster.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2300
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1872 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c86d3a-bd23-4a97-9a2a-8ad88d641918} 732 "\\.\pipe\gecko-crash-server-pipe.732" gpu
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b043137-b980-47e4-aa94-acb327cc8565} 732 "\\.\pipe\gecko-crash-server-pipe.732" socket
    3⤵
    - Checks processor information in registry
    PID:192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 3028 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f25d2470-9558-4515-9e73-2893cff7c03f} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:2652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2688 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a02cc28-22df-4a6c-9d23-8fc45f4590dd} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce3fc233-0e34-49e7-90d9-25e3323a0542} 732 "\\.\pipe\gecko-crash-server-pipe.732" utility
    3⤵
    - Checks processor information in registry
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5428 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe8dda0-0a08-4742-938f-57374e2308b2} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5580 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92e14688-70d6-4e03-94e2-56d481223807} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5772 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5be853-9ba0-46d6-a967-5ff65d3b2c5b} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 6 -isForBrowser -prefsHandle 5964 -prefMapHandle 5576 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e0b5b68-110f-4f4d-926f-044fbd669777} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab
    3⤵
    PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
4b85283061865d1a4c888bcca32d72d0

SHA1
2036673685e0d4d05bd94a886da61e373c167bd6

SHA256
29a5a17607392509bcef5e5d6ffb3ea8641068af7e910ac5a0190a028b096bd1

SHA512
ac665ee61447147121bb0e117bad9eb0fadc66978239e87486b9fe8d9689704ef85e2f7e60c97bb9e7a15c8b8a0fd70cf16502c2d7c905e6699a0de2abcd9a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin

Filesize
8KB

MD5
ef925ed6907f63964f825c3cf3f571a5

SHA1
583920f74a5796f9feb2abd6266110c9dfa3b0a7

SHA256
b6c0f6b7f3120a2a8bd07654010893e93a309199ae21c0852904153992a818b3

SHA512
249042c732b243f78fd3c3b0d6124c08f14badc3354184fa8628571b246e50701fa960988e446cd81e2adc22fac42c7f6f69bc47484aaa1ef0c0138e999deaca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
96de6eb0b6618cffbaf4499bb927d24b

SHA1
151f51dfb30549b654bb1442fefea12214fc7ee3

SHA256
46bd44e6133ca541a00bbbc13c453a231dea1de5ebbe135a92fbe9898dc251a6

SHA512
e80c1b9afc0a8fb7d701829c65e11070e79ff6bf937f4551ac79cdd95d2a7b515adb3d601a238df4a993eb28b183760751d221d12f5b16fc3a5cfde8863540d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5453bf0467e6ecadb2501a2aaadf5760

SHA1
471a26819ce18de62b6518dd0eb8010fd771af66

SHA256
b7c0079e9a9ba466c5dbd0c1b99d883be2746296ad8121cc99941d3b2a5ee931

SHA512
1855d7b36d25485cdf5f57d8d21b745798cdc1d6a8fddf47414d9085cc7ec3a68cf43f10d13169e6e13f27d79e8719efe3f55f464e93efc71f2879b44481f227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
abd0ea6126a6d1b95261ebc79adc0c0f

SHA1
ae57d633443b8cedfa6ba467a2931dc7bb4090a0

SHA256
55026f1fe5d11e059a267d75476e09a9e758e1a6838086b81e7fa1cfa6d42867

SHA512
a267bb337ec58d9b2fa04bc8970969e0250414bd601951537d9d255818c4af30e20dbf036a4fff39ed5a54775e92a58f5392acb067b5d8a853ff5014c71740dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
044c2aa3e7f7ea5b495a9dd6d1d2da5a

SHA1
2cdd7d30d150f8e8482125c40e0fb5ab6c278594

SHA256
c89157454ba688435c15e7ce5f004cf44bd6e508d0991460e9954c6864b719c0

SHA512
4ac6b91315c9d72e8371a5769704389a5c3a3a7c12e7058c67828697b538bd938e6d4301a23d8c4fefbff0c5a790b0dd4e9dd62ec105328000c5fe6c5093e17a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\38ced64f-8f81-4d91-9b2f-f4f6a8aabeba

Filesize
671B

MD5
6e1663cd536e3b846f352f390ad2c7f6

SHA1
955c225efc19dfde254e123896f01f6f8acd701d

SHA256
7a5e06cd071c8ba6e4d06299d4f72edb3c6bde9355e7ffd61f8f9a0814e36d20

SHA512
d0bd8011b659b498e93f25bc6ce12091afa7398427535f2762ef8129a67882c18ab1a09f000cea34b9b9cb387a94df2eb386db7db1b4e311c903226454c893e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\596a0a63-1eb1-4161-a397-db5b6a5600e9

Filesize
810B

MD5
4f62e6adc3b4632ca82631e62a034404

SHA1
0a162604933497aa9e2650bbd04c4230be2e02bd

SHA256
0a8f6e16a65b1c6f52137c6ce01e18f198095bc5bdf6b8b1d4bbd00a9967148c

SHA512
517c4d598704b4e4f50ab2429f24f9c29b2783ad728371b323570f56712ecc9ccf4b65892ac41c656c81d1b5cc843d5d59075a455a179b3c970f52acd6806d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\8323918d-a9a6-4cc2-b9ca-62db8632bed9

Filesize
25KB

MD5
3463542b538058a40d8efe2fd1b6d5c7

SHA1
b83564d6bf11521359111b21173b5bd963357a98

SHA256
4d025c57301c9d610f0be61a81e8a5843902a05a29950da90804dba232213a86

SHA512
6dd6e4d44f1b1713e16792ab92a29d41e954677e30940f8059150600d06423778a0f10e2a1a60f2ee5c2faee59239792ff6b33957b9b5622458f6e256cbe405f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\b39a5107-a4b5-4929-be5c-d02476aaae50

Filesize
982B

MD5
2d1b6b04cd7288ba3a6ae8d2c4db2e25

SHA1
289c89962bc7828ac8224a819904b255f612da6d

SHA256
57584fd0006e1a45c35dd19c4f874810aa1585a70dbb58a870f3fcf9d407e059

SHA512
58fc1800bdbce34c9b8d66a8fb0b5f535ea037dc84dd7623b4f9f7c09a3121644b79c6ce0974fe21ba7ef2945d5a9fea0998287499498364863eba67fab4ed35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
10KB

MD5
faca6b25869e629ad3cb8d25c55c6edd

SHA1
73e5b8116aac4d0686557fe7b6b4bfdb171dde17

SHA256
729d50ff88314a1a140fa176f8fff7915148003ecffb4823a856cb7af32cb24e

SHA512
aad907cd2de87b211cd8368f770c4bfee59a2a391fac243a9bd3918c9b880352246bbc179ab130a991038a9b74671975a2159c509259f778b8eb0ef1271dd63a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
11KB

MD5
095e0a010f476e4fcaad6335432e5002

SHA1
a5cfaf6b1d58d44688308fd77b77cd7badad9c70

SHA256
37d6ed3431e8ded43e2a96085f306753540e60805aaa39fe5849ea8584a86785

SHA512
884fb00cc510d7376ced9c1277966d3028e1db83c3b1275ddd8e10e62af7743d52886a486938696152c9549d8e5c65ce01a1d1afa670a110647109555fc0868e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
e6556b1a8ae0b8a355682994222bf090

SHA1
5d5f6e413270919599115be5d7d6d0fcfb47a8e6

SHA256
34206e725abc64f201b97006560931b286a2b7b193e2ef583e4785e5e60623f6

SHA512
ff6736306c45baea99b499082d5f6ac1bbb0a28fe2f02d4e8ee12e2ea65b0516bdf248684e3e9e22440dcd28d5ec0163590b993171174ea51875b2bde63b602e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
18e9849a756e3c13a7407586847d82e2

SHA1
39a8547b552322ba8990231d9f249e523fa50f56

SHA256
35aa23921e96ff1c74eb8981ae1b9694fe11293d785b5d82d099d13defdfebb7

SHA512
c95e56d3ba9531a46686483747d4266460d481d44aaf864504b069a4df54a3a4833695459f8873d380ffadc1f321a8106b13bf0211a38cc60f0956efb83e0c3f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
81d8571af28e42e2bbe60b5118173da6

SHA1
a826876a268bb7ebcf67b050707ff8a8e05ee6ef

SHA256
5fccda50065844a012e1425d3d9d60b608c6d5dc07514d32d04b1c55a1eade36

SHA512
b6f2dc77b046e4577a996495a6a5589f6ea263e61570ff362f2fb3386dc2b5c80c63ee6ab0678b36e1e11f7a3e46a9c5ed2cf33a5fb523e6afaed0f5a38da347

Download Submit
memory/3332-5-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/3332-0-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/3332-2-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/3332-1-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/4120-10-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/4120-9-0x000000001CFB0000-0x000000001D062000-memory.dmp

Filesize
712KB

Download
memory/4120-8-0x000000001CEA0000-0x000000001CEF0000-memory.dmp

Filesize
320KB

Download
memory/4120-7-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/4120-6-0x00007FFCB0B00000-0x00007FFCB0C9F000-memory.dmp

Filesize
1.6MB

Download
memory/4120-297-0x000000001D7A0000-0x000000001DCC8000-memory.dmp

Filesize
5.2MB

Download