quasar | c84661368d31d5a1c4bd180bc2708b2bcadd0746b6df09e448e884f051848308

Analysis

max time kernel
384s
max time network
387s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-12-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d7fb.html
Size

10KB
MD5

abcb4adaf9557f5e32aab4d44faa5747
SHA1

7c370e88eb976b8536275f01651b6b1a54be2f97
SHA256

c84661368d31d5a1c4bd180bc2708b2bcadd0746b6df09e448e884f051848308
SHA512

523a5ec89c53a73f9571349ff4ed5c5bb618c3d36de9bb5631d3361c9284fbb347ae53069ff638969e71318945e3ecbdca5bfd15476487703dc316644fc4fa29
SSDEEP

192:z5uWi+KWdSLLL1q7qL5LZLguLaLMLCLCLDLSLkLNpoFnwm6NhVfUV/1LhAypHU78:z5uWi+KWdSPxdNkueQmeXmgxwnR6PVfY

Score

10^/10

quasar office04 defense_evasion discovery phishing spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

rolok44419-55109.portmap.host:55109

Mutex

33777fed-5d9f-4b66-ad7e-5542ef62e014

Attributes

encryption_key
A1C7F8E92E515420A946C210E4F8C886810ADBFD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004632c-779.dat	family_quasar
behavioral1/memory/1152-838-0x0000000000B10000-0x0000000000E34000-memory.dmp	family_quasar

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 2 IoCs

pid	Process
1152	Client-built.exe
5284	Client.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5336	schtasks.exe
5224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5660	msedge.exe
5660	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: 33	872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	872	AUDIODG.EXE
Token: SeDebugPrivilege	1152	Client-built.exe
Token: SeDebugPrivilege	5284	Client.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
2524	notepad.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
5284	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 4572 wrote to memory of 3632	4572	firefox.exe	83
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 3332	3632	firefox.exe	84
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85
PID 3632 wrote to memory of 2052	3632	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\f5d7fb.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\f5d7fb.html
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {869d2d34-a2f7-411b-b677-ad4e5ee8ba69} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" gpu
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24759 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {284a9f34-9faa-4cc0-ad52-07ede3684bd1} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" socket
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 1600 -prefsLen 24900 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c60203-bc63-4d58-b725-b84e162b6af9} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 1608 -prefsLen 29249 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3f0f9e1-efa3-46f7-b8a0-9f1fa19f542e} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2908 -prefMapHandle 3816 -prefsLen 29249 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56855f15-53c6-417d-a4ad-7b5f7a6c112a} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" utility
    3⤵
    - Checks processor information in registry
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dc1941a-da98-4f18-a40c-211562b601a2} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb74483-2f86-4ba4-98c3-294479ed8834} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5760 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7260dd3-e388-4644-bcad-51ea1f32e002} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:1364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2780 -childID 6 -isForBrowser -prefsHandle 2852 -prefMapHandle 5632 -prefsLen 27825 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69ac832c-6755-42de-9cf7-7ddb75331a70} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6228 -parentBuildID 20240401114208 -prefsHandle 6180 -prefMapHandle 6232 -prefsLen 30693 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab25e14e-9f1a-43c3-8f9d-0acd429a3b7b} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" rdd
    3⤵
    PID:1940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1804 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 4032 -prefMapHandle 6196 -prefsLen 30693 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faec2762-c732-41c2-a50a-477a604a6482} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" utility
    3⤵
    - Checks processor information in registry
    PID:4104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 7 -isForBrowser -prefsHandle 5708 -prefMapHandle 5640 -prefsLen 28046 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab1f7c22-b21f-475d-a129-2d41e954d345} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:1164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 8 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 28046 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7a1672b-81c6-4b01-81af-da65167dd2c7} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 9 -isForBrowser -prefsHandle 7000 -prefMapHandle 6996 -prefsLen 28046 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59221327-7984-4af7-998e-2d194bf6b5cd} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6960 -childID 10 -isForBrowser -prefsHandle 6948 -prefMapHandle 6940 -prefsLen 28046 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa54e99-c572-416f-82ee-bd21afb9b04b} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 11 -isForBrowser -prefsHandle 5664 -prefMapHandle 7184 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3969f745-c896-4bc4-a168-b6f1ea2370bc} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:2620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 12 -isForBrowser -prefsHandle 4996 -prefMapHandle 5672 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {310d4d8d-520f-4cd0-ad39-644fab697639} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:5460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7872 -childID 13 -isForBrowser -prefsHandle 7788 -prefMapHandle 7232 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c592591-05dc-4644-90a4-9709a7691e3f} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8048 -childID 14 -isForBrowser -prefsHandle 8056 -prefMapHandle 8060 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {344eb76d-e9d2-4dc2-aa92-f7a8515e4fc9} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8340 -childID 15 -isForBrowser -prefsHandle 8260 -prefMapHandle 8268 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {422ee934-962d-4ba8-8550-2a7c75f43b76} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7068 -childID 16 -isForBrowser -prefsHandle 5452 -prefMapHandle 7020 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e05e8889-5369-4646-925a-072dc571dc0b} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7824 -childID 17 -isForBrowser -prefsHandle 6860 -prefMapHandle 6916 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb92d99-cb75-436a-8455-5ed15381aa6a} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:6012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8716 -childID 18 -isForBrowser -prefsHandle 6716 -prefMapHandle 7824 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bffc7fd4-594c-48c2-8665-ecbb80f385b9} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:2044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7220 -childID 19 -isForBrowser -prefsHandle 8364 -prefMapHandle 8360 -prefsLen 28278 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e17c3f-9b16-43b7-b66f-9cb7aa8d2a42} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:3296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:636

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5224
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5284
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x144,0x148,0xa8,0x14c,0x7fff05ea46f8,0x7fff05ea4708,0x7fff05ea4718
      4⤵
      PID:1740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:5668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
      4⤵
      PID:1596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:6112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
      4⤵
      PID:324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15349313395854678,7042575591709636088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
      4⤵
      PID:1376

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8c74ab5c035388c9f8ca42d04225ed8

SHA1
1bb47394d88b472e3f163c39261a20b7a4aa3dc0

SHA256
ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

SHA512
88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
53ac72111e04413ed6bdf0c2269a6290

SHA1
12f3b47811720ccbf5359d62a327907f3e062598

SHA256
e006f58f41173e2ddf2e2f00f9401c0cb947c0c42aaaf962160f387f0c1a3c0f

SHA512
e7c00d2972c0c223b84d5761670bd81d6d3bf90b02cb10afde80393a20c00d1bfe9bb70d49e8ee0bc1f855b37e1ce53663444486100c9578d06a94df60762a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a5f59cffcde7505dd92b39659737d61e

SHA1
ae56826ce528603aa1c28ca641e5ead4bec72d94

SHA256
5d94b034910c208f83973821ec971d00eb3064cb31809ed9fd69063a9f754c25

SHA512
3c6b80573e4122d1d38e6023179d59689655506a86242fa9fc65886e236df8474ae9c9cc113e34f3b1b533921193a0c763b938bc63ed68859152d586f3cd3fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
d064aa2ebb1bb4287df5ae2821dd8afd

SHA1
954f922f9299ff0ba2090d6a9587354f9e85eec8

SHA256
6e245f0ba2164b0b8c6654eaf412d362095b340a594340edc35696e5814ea0df

SHA512
228128cca4811b51166ae55768421990a3c37f727246663c79cdd2aa8189f446ebbde2ff6e8af718b4ea8f7ee4a41b0cd2b575a50dffe0ac6104136b8712bf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
758408c1cd42d59f5fc57da8688974e7

SHA1
a27dee55591e275380919c9fbf1aa65335c2208b

SHA256
d2c35f1590cc99df0c9cfbef6001322d4f869deddd3df29c3bbf6c7db4ef322e

SHA512
a38d2715b0a6447ecd7fe6ebd37f3593a96152bd396ec220abc6de550c3b29f94fb23879453db5e7a718cd3aaf5ac2bcab06c09d2d166ca3cbd8fab5329d6586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
671cfbd0275770e681ef4ede37140969

SHA1
ac145dd046e86ab6aff6340664c509c4fd5f1746

SHA256
dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

SHA512
d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2dc0e85ad4fd458d34d9cc947aaf4010

SHA1
661bf6417b9df1931cc252dd4ca78defd903385f

SHA256
d043ceb120c7de0adc6120d0af09ea4844a7f957ec0023d3721a77f43061dc52

SHA512
d93e340824366e69e27838020633377f425094c9281cd31be06592760f18dc9ffaa95495846e648458f288e0253fcb9813fa74a94ce6a196be675b86a5d2506f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
2c4bbcdac6b5aac19da60d09e3df4edd

SHA1
6bd5174c9d1b9d461bfc314cbb5bbebf261ebfde

SHA256
48fb466dffbb89325e93e0661f7b615194543a35a896907cf7dece33a5941d38

SHA512
f60f4015f7eeb5306939b77a40edcf45e5147062d3daa3160a3cd7902cf973369f77221787c0299a98129772b5abb38339a8909355ec87bc26ecaedb4512cf05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d639f.TMP

Filesize
48B

MD5
d4984a0ef7475db960a06cee77813576

SHA1
c8a8039b3a46d410d6cffb0f9dd1d6d95018b380

SHA256
aa0b4713d0731cc405225b9b66ac663adcf5cdcb326fd4a6005f405c7da0ee59

SHA512
8fb178806b28f0a133ac4ba59c805c2b30114f747f28dd0230a49da7a4132ab52af010a6d302bcc25a7127face672ad62da19da3d2af07c2d96d291ae0d809bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cccb984ced569327c7ce43c3d3a4c5de

SHA1
fdbfb09fde6b64ff8871397d21f8a9fbf77586f2

SHA256
ca6165570bf349a70262b0fcaee8e1c65edd3f3dd1132009d7ef873b4ad8538d

SHA512
d37fd14194c8a444938a8e1fe6a4e9b4331b7c4e00c470a9b181be588028023a5ba4ee514f067205e5cdcd9e65798856b010693adab7eef177fe74023f62b57c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
9b9c342a93687e3be4fe2ef19dc6515c

SHA1
cf0b8262cf86b6b757690e280ec29ec33f7f1408

SHA256
4c970271613448c447955ed8b9870a779a2b32901c547baf35771e36511d8042

SHA512
3f0e9a4f77299742e13f30cb166bd2f41a22f59390bb3b53804f785d3181d3d1fd19ddb8d6a2d6371f4e6aebd2c33a56becfe42de639ce158178e460078ad657

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\11BF03F127E339410ED7B4BBE6A843B7F4441360

Filesize
23KB

MD5
1425b847f5285a1825e9406ea0a84055

SHA1
2a169504a347e7015ec07a4c62d64310ed002654

SHA256
7cc6eabdae6be563b8453f4d116d8ab715caa55e29ca1473b0e20867fd0da970

SHA512
9ead5e6157537ccce59d4fc61a16ce8d8aee6012469f621c5ecefe9066bef73bef583488d6cc2cbe9608ab75e2b7cb309072189ef9a5bf64a75cabec821b265b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\7F9219D5BC1C131DFC6C7A51AD19AB777128E8E6

Filesize
1.1MB

MD5
7539747d6e608c9261155b696cc5125a

SHA1
aa521ef2f1a92cbb1a7a1defcca7cdf9af426f7b

SHA256
d43b6461dc0a4b41df22e39a24884c227e5fc657c7721b7ae214119910dc5b60

SHA512
3b0a6195e7de843542f4508f8daabb489deb969e014d18bbe181282998abcdb3f257b254667912fe1997cdd2291ddeb5aebe1a8d1f3f0ba2350e4439f7322fe9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\8E85625EE9AA011944D3C0C6D5776A5A154B9FB0

Filesize
555KB

MD5
97b6eb67f5c9f384a7347ba41ac2343c

SHA1
033a628fbfdca2a7fb9755de5588b22e0a427bb3

SHA256
8d207b0c82e506fc96fd393d7cd1196d9e6e81eff39ee2c9aa7c10a7772098e1

SHA512
77dc42cae9f48224252450b38cde4cff47fe8c9d2aef960c697aa45ca974f285d724d9c2d5a70a68462e0dab479e151e419848dbc4a6e82988ccb3f9999cf5e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\E4166152DAAE3064CA1C720FA090352492AAFF6B

Filesize
408KB

MD5
7652735979dbafc2981c9122b0eb9de1

SHA1
3c2da7b6d03f1259d1f7ff0d7c77f77caf3392e8

SHA256
044cdca616ef548cc23ecd1435743b98ae4a0eeeb5bbdbf3b032ac14f14840f7

SHA512
8015a9c4d0b319cbee87474e13075aa31fa5433b59fe54cc0889e840d72aca46ee5f5f06dceb66752ff6a9b6c4c443a2c61096332e72f48e44aae10ce268d47c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\ECC64DD37B40B56D858C08984ED9530BC1CFAE3D

Filesize
106KB

MD5
0a3e99e424581bb276d92013f7c3c1e1

SHA1
ee9457604ec9818e4ecac51cc559d11d48b82de3

SHA256
a3d22e24afdb307dd0237f89c7d1d69d5f48cff0b4496e721d67b15a44567304

SHA512
91e4db8e38e965ac3e86b3fb77485c6e3b6880d5be5cbfb19fd1186c51cad49a058349c5c9cd14febf401811d4d4cb4320996c189b2fc928f8910accabf22163

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
0e96e79e31f05d31381e750af7b777b9

SHA1
a780b6c92736520385aff32bf953b672a730c823

SHA256
edc1ac54e388b44ffe77754b1634c59cc38a76e6008e8f5837dc17c1d6e5a573

SHA512
95babda5ed64996c0dd38936bf30b5fefcaae621a665f17d9a1fbefcf93eef6d625118f8b603d2912da0d278f536080671a8bc91a720ea54dbb60eea3c2625db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
494e1f8d259e97681daf3d7e300626f0

SHA1
7a93cec552100fd822fac9f94f800247ff393ace

SHA256
9961cc0ad48fb85a673fcb78cd7d13e87bac94bda511e166534ac5b9a10687c9

SHA512
83641aefe5d489091a6645284774280161b54d03a59cd417a942d74493b3a5551e5dd03620cf50eca31cfb87e496ac84c435079d2a4a80f85febdf3aef6b7f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
bed11e9298253b773b3562ffab8ee6e6

SHA1
5dc9f667b733e69037ec8ba0a9d419a6cbf0279e

SHA256
3d9ff04c98cdda352b3c2bad11c200d156136b35b400db92c48a64eda35fe892

SHA512
d641295abc01f8e92f4da598a404455548d38eed0eae6a2a0e308400daafbbdf5c6156032993e9ce968a0daa3eb2ebcb6096fa2613fac15aca46aa7e1f6b8781

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\AlternateServices.bin

Filesize
7KB

MD5
a70debb23dd47937156059ffa7ad8034

SHA1
30c1f9c06634b540d4d9a9394ea8cae9c6e43d58

SHA256
49e95747a6c8e2867b34939896e4d6ba043c755241c577634519f08741d9cacc

SHA512
792bb39f6db32000fa67f1cfef01f05e98bdad5fff762c12479dd6adb632afcb384206f8a6c81243b537de532c2321d7fdbeaf7a802359fdab97b090dd26c065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\AlternateServices.bin

Filesize
11KB

MD5
2412de0221d5fbdf01ab71cc3f36e065

SHA1
2a06167cfe2ef87858d62b5361e0c76a3f7987bd

SHA256
17b7d8eaae6fb512880106ba573506c191c8e888f16d1a8d40575efa8296292a

SHA512
c4e468ca7517e6e2fcd2dcd48b7856ab67e9906692c9eeb78a2ede2634bc916bac8aea04364fb5f28a971390837744a3bd1d628908a1ab02a51811666eb15263

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
155887100cbf74afb57d7ceccbeed869

SHA1
89416f0450b59c352067a473c36edf11e5288d29

SHA256
71b9b0f0e9a68d0dd457ff00eb5c91631993f94d79db70628480102f439d3e9c

SHA512
10264abe2bf4dc3d5f16b709be969a380596cc88b53fd79df4bc16ba6de3569ac27de4bc3e17191ea569e865e31c28cb961f9dba616ba9bb463a126e2109b9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d8828b0dfa871cb91a6049d4026ad837

SHA1
812a227c69a4c866e33698e60770e9bb89fa15d7

SHA256
92a4ec09d82e8bd2b5937ca0aa92196afa0c09f155c1fe601027fefeeda95eeb

SHA512
4a037a2b491fcab63e2f7e15d6528912df41098ff720f923fa95b04a706b21c5ab5f14485cfd5f13726018d445263e1d9f0ffa8e72987a2b99e31bd90938b7f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
76126272c94a48ea07bf9c7e83eb3db7

SHA1
6666a3f48de2244129cba47b5574c4b3c103eec1

SHA256
a0a8013417afc6716f7c6e0a2d7345e65b216bcdb45fff34200cf091115e875d

SHA512
7ddf48dfcf91b176a4a4dedb747e7499d6cfb6ce4b695f3ca916b906b327373673c0408d77a332cca0b37d5a16e77f68f207426de1bf3577f9028e9e74a415df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
38KB

MD5
db09b0214e88a671e41de9a0161fac21

SHA1
42e8878d5d813f086c49c5243f71877b4393b8bf

SHA256
22867cd6d362f90011e05d9aa8c21481c979cfb6ed3d0d6acb7c51cfc97ddf83

SHA512
d2ca8d80481a68a9cccf0308f5ef82a52668d84750d77f3d1b1dfeb3f066c7c1a774ec733f5d5d2280631017d43c87ae74dc13a4fc827502cac12dfaa4e4a8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
48KB

MD5
ab3956f5d0bf622ba89f2b4b94f333e8

SHA1
7704c30cd0023e3f6ac54dfe625b06bdcdfe9057

SHA256
03325bd20c76986eef7f80c1747c379f6c25421afbfc29fc33452e89af2fe161

SHA512
f6badc8fd49c0589bc5ecf1d2dccdf7c4adcd5035af65f6c6bf479fc40e5b9fd12c4e3c0633f00ed77622d0d7d8d18764adc2beb4a50b12601fc98366ea88de7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\1e4e24ec-1b52-4e9f-9044-245c63b1c531

Filesize
28KB

MD5
29ccab1c53bc37fe8dea8e1c7e94b6ba

SHA1
46eea7e7ffba5e7a16cb69483ee4e8c5dfa414eb

SHA256
de112ea6032439533df3fe9ed5c004f35bfd6491751dd502e642fe2562dace70

SHA512
99ef4cdf0a3e39b6cefc82b12c1a6ca07eb89cfb93fad4f9e81f556d4774f5da5db5b0c352a3e4b3cbef15b7a8d49091e6cd144e059567bf6a4c77fd5eca7a60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\a39052c5-250b-4f4b-8fcf-4b05acdbbf5f

Filesize
671B

MD5
56ce6d31ea80253bf8d6d371a40b9e1f

SHA1
8ecc8740788b37e95fcd272619476b1475f8b17e

SHA256
5ecf71ba64f6f656006640e7c21b73389fff8c821784cf3de0d61f0d8e21c50e

SHA512
4b5549db4925326d680b0d695f0c4c1b4f8267d86e7953267bc8b39f0709ec06c8eea9107e1c97f540e7ab954684df608ad21018fcabeb995daa7b6ce2919a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\a9de5813-a747-44c4-a188-c2235089c0fc

Filesize
982B

MD5
239f9a5b2dfab187b917fb2241bd9f5a

SHA1
b3e96fb484c77de6bea32db7bdf5c34c942ceac1

SHA256
f28d737caa121764e6d37b08aac0b44f45f3aa0d5958073dc99c7ebb227e30f2

SHA512
017eb92cbb9692ef0e684ef590f108ee197838476931345dcc15e1e862f96b5c29dbaeb76f9efe35339217dd228aee374dc40f7de3e29a2d9fa052180c1c9446

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
11KB

MD5
c48fbf390d92fedafd63747b0f6938be

SHA1
91848fc33906db9db970195d45689c1f39f74437

SHA256
59852dbc15ceaa59156d002e2a20903c0ea344ad65c6e29d86f7ea7791cac402

SHA512
c80f7c34d709a1f8f58bc644c4a73122f6596e67c595eb34e419ea59a168536cad3c9d4700bc50bb4a19029fdf00de8c183af8bab1a63042deb9671f1de6d1d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
10KB

MD5
2c7ec7951b757b1e7356aab5934d2415

SHA1
296e1ad1be4e308860f165ffd6ece1c2cb7a7ace

SHA256
0960924fc2e9369c962d0e1ae0458aa251723c22b6d632ef9f74b041523c30b5

SHA512
caa41bd6fd4c5231d89de523babd6169cc1b7b923d0876b2e4c7dda14cceb4d699f57aff27794d6583adb768187e813b0c6b6b7632cc3e6b1f2a4bbda765b214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs.js

Filesize
10KB

MD5
51cbc7e6102429719db38c40ba6a279c

SHA1
e94d17abcd8b929524c50c99642243a1f14d650f

SHA256
f8dc437333c844a0fbcee2ec09ef64684b57f8c7cd7254257007611f11fdfe09

SHA512
cc5de26dafc1deb1461abcc6a80763d973583a0005e84d2a55bdff2f84aab58ee8cff25efee53a0cafd58e76bcd5d472acf3956a5874f004f8b384816bfa5d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs.js

Filesize
11KB

MD5
9b89155660a007ce522321fbced586a3

SHA1
84422342b2dfed60e2b0be0c65715cd6c95dce08

SHA256
32791ee929d1ddce5d01a72a557f05ec162e0969edd7206dbe9e1e3cd8ee05b6

SHA512
55e37ce1e05ef191f1394a3db9a9c0b5159ede3da1a169c24ac0446658a57c2bfc60041b7b01035a83e7a996b31d2e73eb9a1e52ee5b48046b651ee1b09b5900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
0ed7c0b3b2ef62f9ce9831e57cc0a47e

SHA1
4be9364ce445461941904b8eb50013b8eb60b2d2

SHA256
e8f65030e2a3ace7bcfb246dcaf8c9170556e5972391832cc40038aae2fc75b0

SHA512
ff54602529390165c45fa399fdc7a983b0f0c5ac8c08c2aeb3027407e5a7739e8d742464ebf2b2fe8718df8d501d9e07dd4d619337546b97caf99587e36b8817

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
aae0145c163336807aa1f0055ffc5d77

SHA1
ad1fd3a8b36af2e287bb00f8b6614491c09821f8

SHA256
75b4b3d53ab9916f3bb243c29091cd844d2e57802018432c77b1c7067666c7e9

SHA512
83438e48b362d4fa43a93490a752d680f56c02e293eb2e4a68b157f5fc0de1e73507482a23605382baf982a92dd10034eb3edbf82abe05dd4613fe2fde57a743

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
29438ad34d5d963b94ca5a82dde8a599

SHA1
0b81c88718c210adf699fa8f84adc50741f9ebdf

SHA256
4234ba08d1ce96d9373f8ccaf21231f677915502220febeafc3e281428f000c3

SHA512
49aaa9ab7fb540e7f2167938997ae8e1306a8bbdd5293e9169362b430bd2cfd129196710ce505e81e7b9851744d139c8872dbf56b2d7c6a3b7b9ce94a1d4dd6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
363d69de73397702f7494262a143ed9f

SHA1
ead7387771ae06a9b06614cb92006e18cb6bb399

SHA256
d58d109a03fe02bc86c9c2b0b47af435d71613fa5a93e396776eb69f54e7b6af

SHA512
c308eedcf84875844779e8313fab16f3f45f811d7dfdee4c055c1696d18caa1c9c24833409dcb844f659a0df8f0af1a366877fbb3dde7ffe726de72c46a91fca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
11aec0cdc48f4993a35e6523d77decbf

SHA1
96b8883383d6d38caaea80f9a9ae5c40a109bece

SHA256
804887bcf6633340f2c1e26c7c9f58c24452e87198b0aa0073f92191766a9ee4

SHA512
adc5e94a89e47cb398b3441ddbdea2f237827b5847cd3dd5b36af0396c91ef4a050136b48dcfe94a8a2c5872d971e166181c178196c2518eb507691476eb3e29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
983de5661f38af593c69f0289efe94f6

SHA1
ab67fdc1ea9cfee43b0a84cce53e8cea4b984826

SHA256
f16d04568d77ee04890ff19141acf2f1b30697caa4287ebaee9ea88c6c6ff329

SHA512
4a82fa359016f5a4a289ff41d4d6b8cc62e5311f93bf4ea998b50d670bc5cdd227d53bd991a1ae689fd69404cc829834065de786121a82d802ebadd7ffe7bdea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
7d99628dc7ee73f11c2bfc2ac80618e8

SHA1
48ffce99b600e8e947b79ffb4463418157840d49

SHA256
ac8f4409d17d4e41ce2d1cd0e5f70886db3744a96fef14ebd3394272e1799379

SHA512
6c323bfacfdb9261d418b752c82d1ab449fc631318c6b81f90aeb61c6b53ca3926cdba2e94a3e513739bb143b32f73b64a42ab06f1b7b0f13639779429ee9f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
938ddd67ef3f1344525dc9920be3e588

SHA1
9d081ba58636b678418b9e37efc7ef30320ce7d6

SHA256
f45471f34510d4e51d1e3abe101669ac58d8fddd824013c2dcf6838ea7f3adf8

SHA512
f05250da6cd2f02da7960c6dd6ede993b1ba1086298f43a29488de34dd3d277460f8277775d808c997e26feb61064f64a11393158e35bace612e7d49016f7108

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
2683993d0e3092e3e862ab3cce7620cb

SHA1
48366ccb815b50b5fa2dd74c43a934808f088fbe

SHA256
92f42db225c04408080c9ed54164b3dcb771f0b0db75b74df177eed23c43cf98

SHA512
0af9b9abb0191dbafb25c086bac1ed6f584d39d65c878a90b95afa83eaeaabf6ae475257cdd7c31eb9519c945c807537e0651f905a8fdb67e4d02daff21b3833

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
32ca203b9dec5eda0ab751d62bbac85d

SHA1
053342b02f4e2ae6f51b528845a76787dbc33e8f

SHA256
f84ceaf83129da82fd7332d949ff8585da1993e9fa0ec2f1a64b095d67f88912

SHA512
10cf3b4d01d55548956509d92238da027cfcbc70e7a7f99b7653edc7e77066a98157e4105b6ff7ab488501ea08cdd252f2e7474a3a61ea3b8b965a980b46057d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
c236240c382f27fd433331c5e4acb789

SHA1
5bb614f1d72c4244eedf68e47ab80f18845941c6

SHA256
dcbb966b93e7178be7c4508dcaf79fb75288abd0a04898abce1b60f382253f11

SHA512
e7a428e71b4e0825f2759b8b295db36ff4fdd60d4a87a38c139971e4e332f778c6a15f391b7e1d08058fa3324c57193e1510fc70f0d7eab2492e1e8db8bc3301

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\storage\default\https+++backgrounds.wetransfer.net^partitionKey=%28https%2Cwetransfer.com%29\idb\12183338011.sqlite

Filesize
48KB

MD5
165050ad538740b7c0330c2a6329c90f

SHA1
1dc3d79bfb11fee645203ee72d26190b9e7a4010

SHA256
9cb17c88a8f6155cf14f4df735b32d19f0d46945310b096caa78322ce0ae4c08

SHA512
08bbde1c9029779263e481bfce1a23e878752c0a047d5385e7398600b69b0ba97f59b4178f9102329da10d7a92b78a98842dcfa42fd5727580b3368b7c48559e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\storage\default\https+++wetransfer.com\ls\usage

Filesize
12B

MD5
ab47719faefd8d166dfb95c28437906a

SHA1
5d55767b9a1f38845d46b97b44348d4f6eeb2be9

SHA256
449da65a56c1d407d3442735c39d41a2e0ba0cfcb48b58b5dc1eb0b76b639ca2

SHA512
8a7ed1b1624c1560603a28dab0a8530a6ac577b37e17177a87369e4c6b6af172bb22182a5f3aa6df6c982ced2f6f559debbd8e2874d3d8ef5c0eb4907dff86d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\storage\default\https+++wetransfer.com\ls\usage

Filesize
12B

MD5
b01e27bdb3721a94306cdd083cf404fd

SHA1
31310539760d6a1b71abe5ae39f00d4c983ea89d

SHA256
23575483ec8303ef79c7af9dd93227177fa8cde891e377cba7b8108acd3f2c21

SHA512
58e9a9cf1cac211d4cb8b53c756dbbefc16e11791d835817326442b81b889f9b669373bd6dff5d30b6beec80a116b3b738f580841352aa4b41192d9d468d22cb

Download Submit
C:\Users\Admin\Downloads\Client-built.SgJ5K1tW.exe.part

Filesize
3.1MB

MD5
c83b85769f94cf2988d0df431b401a0c

SHA1
8af8f3bf0b6d36932c27c3a58ddecd5484bf585e

SHA256
9e131add1f69a9698266654ede4248fdf529325f085f80b397a3e9ac5565f985

SHA512
81d0b6c62984165588532fc5b7e5d7e6712848832589145fdab58482fa6d009d727c38fc9fc0b6bf287ef74782750534467d324fe882728e79d150dd62702d76

Download Submit
memory/1152-839-0x00007FFF05000000-0x00007FFF05AC2000-memory.dmp

Filesize
10.8MB

Download
memory/1152-837-0x00007FFF05003000-0x00007FFF05005000-memory.dmp

Filesize
8KB

Download
memory/1152-838-0x0000000000B10000-0x0000000000E34000-memory.dmp

Filesize
3.1MB

Download
memory/1152-844-0x00007FFF05000000-0x00007FFF05AC2000-memory.dmp

Filesize
10.8MB

Download
memory/5284-845-0x000000001B620000-0x000000001B670000-memory.dmp

Filesize
320KB

Download
memory/5284-846-0x000000001CA50000-0x000000001CB02000-memory.dmp

Filesize
712KB

Download
memory/5284-847-0x000000001C9D0000-0x000000001C9E2000-memory.dmp

Filesize
72KB

Download
memory/5284-848-0x000000001D150000-0x000000001D18C000-memory.dmp

Filesize
240KB

Download
memory/5284-893-0x000000001D9C0000-0x000000001DEE8000-memory.dmp

Filesize
5.2MB

Download