quasar | 5f7be136679475aeabac1742ed75b13a3a6019a1e26efc07ceb199c5ad016b90

Analysis

max time kernel
592s
max time network
602s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

d71b9f864361e49d0274c9e18b877093
SHA1

eb621f94801e47c5e1ec03944d020f3a98c446d0
SHA256

5f7be136679475aeabac1742ed75b13a3a6019a1e26efc07ceb199c5ad016b90
SHA512

1b535c8b7ed061f035c82d95e91c1ddc7386da4d1d8b7c0d01e55b8f2acd403a9f60ae40e0c5444ce7aea50b029035a8a4c62654e819d98f690bfd7dab9bc02b
SSDEEP

49152:mvOY52fyaSZOrPWluWBuGG5g5hx7n8LioGd1CTHHB72eh2NT:mvT52fyaSZOrPWluWBDG5g5hx7ntF

Score

10^/10

quasar test spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test

192.168.1.35:4782

Mutex

lol

Attributes

encryption_key
BA1AB307B42098FBECD193797E23C0F236DEF7E9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
sigma

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4736-1-0x00000000007B0000-0x0000000000AD4000-memory.dmp	family_quasar
behavioral1/files/0x001b00000002aafb-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3860	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	Client-built.exe
Token: SeDebugPrivilege	3860	Client.exe
Token: SeDebugPrivilege	424	firefox.exe
Token: SeDebugPrivilege	424	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3860	Client.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe
424	firefox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3860	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	MiniSearchHost.exe
424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3860	4736	Client-built.exe	77
PID 4736 wrote to memory of 3860	4736	Client-built.exe	77
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 3292 wrote to memory of 424	3292	firefox.exe	101
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 3796	424	firefox.exe	102
PID 424 wrote to memory of 668	424	firefox.exe	103
PID 424 wrote to memory of 668	424	firefox.exe	103
PID 424 wrote to memory of 668	424	firefox.exe	103
PID 424 wrote to memory of 668	424	firefox.exe	103
PID 424 wrote to memory of 668	424	firefox.exe	103
PID 424 wrote to memory of 668	424	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Roaming\sigma\Client.exe
  "C:\Users\Admin\AppData\Roaming\sigma\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2672

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:804

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f1d75c0-1a7c-4818-8836-143469436152} 424 "\\.\pipe\gecko-crash-server-pipe.424" gpu
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5542b3f-b841-4916-8100-1a91303524d1} 424 "\\.\pipe\gecko-crash-server-pipe.424" socket
    3⤵
    - Checks processor information in registry
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 2872 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b9d9348-a8f8-41c0-8647-edd70300c1cc} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4eb5590-b012-470a-8ce0-45abd6f47629} 424 "\\.\pipe\gecko-crash-server-pipe.424" tab
    3⤵
    PID:2160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4740 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d9390c4-9f1f-4d9e-8bd6-f407961f35b9} 424 "\\.\pipe\gecko-crash-server-pipe.424" utility
    3⤵
    - Checks processor information in registry
    PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
cff404864b68241c07d220d3cb88ec1c

SHA1
81005a01cddf2abed441e0a7c9dce276c0542d80

SHA256
6494cd31bd9527ee551c2460a65a23dabe8dee1f1798e259ec64b6d369074cfd

SHA512
c7dabe2c97c61ceb2cd28bfff673ddb406310bb43dab3db8f721e8d8edc63db8bf62563aaab5bf41948c54e6837f3c1cbd112ba2ecd4081219d5a07cdfee3355

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5dc97235-e357-45e0-9467-de0e80c8696d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
6KB

MD5
45a4cb861e63d6e95b2687fafac3c243

SHA1
558316ec4e1a07b29e0f7359f52173747fd9ac82

SHA256
37039c64c6268dcaa0b1b2bade880c30ce07365cfa26fabec045add4e579ea75

SHA512
6e96293abff87b575d118264305de8b1407f10bcd3eaac8bb006334d63169834d1736fc780b91c5e6cd73f11ace2eb5d45f60524c8bafa8b4338b8d7c8f7e42c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
6KB

MD5
af718140e7940812f1d9c0e3ff34dfb9

SHA1
2409a9703fdc2865411bcff9fee578a4c607657b

SHA256
b53ea7784b1cb10221c4af7a08405b141924fb1b4a7521be7a10fdf2b7e4dc09

SHA512
024a651ce3f38bb9bedf9f6f1d4283285da929235358a2cf61588c4f9f09e4f78935bf1976a3d99a051f932f3dd51441ae8b4389d40a01759da5375fd4b7bbf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
06eb05d39f8208175762a0d80ee83b22

SHA1
dbc57a80196126ff126e71d317909808a98b8423

SHA256
1b7f073528835dfa1269601f026dadfdbfa625232a7c1d329ef950975ccc5d59

SHA512
64eb48165ae27bd5d98b1da7c6fa3b282b3cf2730f2b5aff90a9f83e36ed23eced739e0eba7e756777685bec986af00310101219c0f46b0f97d73cbb195207c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2979ba4912d357b3f597b65e088962db

SHA1
e07c733eff90fe75931c8c44ce6afb46b838029a

SHA256
467d9b43e03fe43ad1fe2d57cea55829bf504c545b3f59dce9f25da7d7cd9fc8

SHA512
ade3b39a119ba8bb1e1acfcf2fb1f571501e498624d3d5d20c5d16f311e56671e12cd24bca9f48d14efd2fc0823b3b8c5fd690255f03fb8b8a041ce710e823b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
24d33b809626f594173790856b4915ba

SHA1
a9fcb0db314a71ac0025563fdabd38136138db99

SHA256
c7f336968142403c8f4f2500525c2d1396fbbd009c1a62da39efb5cef8e72160

SHA512
82cefbc7aba97d0d64a00dbd4fa0bc9bb2ba6625f22b2be27d10b178dc0aa1d3bae9cae6edc7626f196a2f7399dff5566baab26035ec59f9eb344b7d7aa0ff50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\0a311556-20f3-429e-9da3-0e1ed6e69a8d

Filesize
25KB

MD5
4410440ff6a236cbbf7d73fae4b8cbf3

SHA1
0bf696a4137c78f44c592a635118644f73def2d9

SHA256
a6e6e37613fa63912f2fb292748b6a3d582d72f1cbf9b91eef25eddae37bfcff

SHA512
58a0c5419ef657582614c31192e5bc2db3808be5d971a7575c66be4a1637a999d63d5bbc40266822549c05d20d862724ac8cf5e7663dc2f117cbdb1e5d87612c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\6025c906-c2aa-4273-8ab0-7988516064a4

Filesize
982B

MD5
97db8c200f26bc599f1608de7725f6bc

SHA1
0a322692f5e20b1d3efa490025779ced7dcdc9f2

SHA256
c6832f7c15e08eb6f5ecda462d0a77f40e511bf82916357de3cf707cf231d3bc

SHA512
f9d055d57e86944c080a1a30a31332b7d86777ffeeb801fafcfef43c65338b33fce0835d5a35d468059c742c46a3d9c2ff3535cdeca6ff2637dde4be5ef4192c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\97ed48d7-3aae-4663-a52b-feb8fd5859ed

Filesize
671B

MD5
ec8ca08dd451d2438a9f42fa746511ab

SHA1
97c2b464cf303756aa7bc302dde15b90af66f8c5

SHA256
283329a2b20d64bdd77454388268e45fe11f4cca41e71b39403a984d082343f1

SHA512
5ee349db23ef229147dbb8e64044bd5dd54ca8db7a25ce282e8283b66c874a35ba578f2a4a71790786ec60acde61a2c2dd886c7549898604a95ce407149e67fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
10KB

MD5
9d0419f301e0adb873e453b707de6718

SHA1
15ca3915b643c78c9b4b0018b8da89b0b1b1a4b6

SHA256
333cde8e55f0f7affb36cd80d0570e5692e1df813fa938516b9b6a449c986d94

SHA512
d57c6291788208404e62cf6c189d2e46193e9d2fbccf7124bfe93b6627050bd9102b961181d1689dbcfb2af1feeb89f10e1a91b56b6c12fa44abfd5ff6a7d039

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

Filesize
10KB

MD5
8d1dd489e8599b829f6be8dc84cf4559

SHA1
2409339e689572399a8727da3c67d2b2e6632a95

SHA256
a2e5a02a1ed8bac51c0b5186f9feb28796dc2c876f024fd38f3cb479f001aebb

SHA512
f67596307c05c3bfc2d6378de61b6d0a49a03813932b451b454599905f32923f23dbfd0f6df1b371933540c5d11424c3b1ebfe6ef3c22971bb963a3e983c5350

Download Submit
C:\Users\Admin\AppData\Roaming\sigma\Client.exe

Filesize
3.1MB

MD5
d71b9f864361e49d0274c9e18b877093

SHA1
eb621f94801e47c5e1ec03944d020f3a98c446d0

SHA256
5f7be136679475aeabac1742ed75b13a3a6019a1e26efc07ceb199c5ad016b90

SHA512
1b535c8b7ed061f035c82d95e91c1ddc7386da4d1d8b7c0d01e55b8f2acd403a9f60ae40e0c5444ce7aea50b029035a8a4c62654e819d98f690bfd7dab9bc02b

Download Submit
memory/3860-13-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/3860-12-0x000000001C770000-0x000000001C822000-memory.dmp

Filesize
712KB

Download
memory/3860-11-0x000000001C660000-0x000000001C6B0000-memory.dmp

Filesize
320KB

Download
memory/3860-10-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/3860-9-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x00007FFF67D53000-0x00007FFF67D55000-memory.dmp

Filesize
8KB

Download
memory/4736-8-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/4736-2-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/4736-1-0x00000000007B0000-0x0000000000AD4000-memory.dmp

Filesize
3.1MB

Download