Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/01/2025, 18:27
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.178.50:4782
17d7542a-41ae-4995-bf0f-b4beb6fffbb0
-
encryption_key
67BFCB1901402AB550189E7D65D43FEB52181781
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x001a00000002ac5d-452.dat family_quasar behavioral1/memory/2368-568-0x0000000000390000-0x00000000006B8000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 2368 Hackus_Crack.exe 2196 Client.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\Hackus_Crack.exe:Zone.Identifier firefox.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Hackus_Crack.exe:Zone.Identifier firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2876 schtasks.exe 2280 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3268 firefox.exe Token: SeDebugPrivilege 3268 firefox.exe Token: 33 1676 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1676 AUDIODG.EXE Token: SeDebugPrivilege 2368 Hackus_Crack.exe Token: SeDebugPrivilege 2196 Client.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 3268 firefox.exe 2196 Client.exe 3972 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3676 wrote to memory of 3268 3676 firefox.exe 77 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4800 3268 firefox.exe 78 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 PID 3268 wrote to memory of 4592 3268 firefox.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ"1⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/H2Y2zZBR#GPyNKr9sq_Cdd7k2poochlDdM2uuYSHYdWNkALhj8AQ2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ffbc7c-df53-4ad6-a3a4-d235c2aa3f05} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" gpu3⤵PID:4800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa32a97f-4cee-4701-8801-91249cd7b484} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" socket3⤵
- Checks processor information in registry
PID:4592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2824 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f19973b3-b261-45b8-890f-2667980b0e9e} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:2164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 3828 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96855b51-fe5c-490e-8154-51643773e5b1} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:3480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 1560 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {572f2c38-f737-4cdf-a75b-8dd00ac64c99} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" utility3⤵
- Checks processor information in registry
PID:3436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 3 -isForBrowser -prefsHandle 5732 -prefMapHandle 5736 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d4a8178-cf4b-41a3-9eb8-c338a943328a} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:4656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {703079ad-b7de-4b9d-9115-9689c503cc7b} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:4544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5528 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96c20c57-5167-4d8e-9de3-01732ecb7bc6} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:4752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6488 -childID 6 -isForBrowser -prefsHandle 6316 -prefMapHandle 6432 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04b83bfe-def7-42a4-b887-917020e9e063} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:4736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -childID 7 -isForBrowser -prefsHandle 6308 -prefMapHandle 6272 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb70f78-c1f2-4dbf-a109-5fd4d4dd5795} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:3100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 8 -isForBrowser -prefsHandle 3856 -prefMapHandle 4340 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c9d321e-3a00-4e3d-b6d1-e111adf9251c} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab3⤵PID:1664
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:428
-
C:\Users\Admin\Downloads\Hackus_Crack.exe"C:\Users\Admin\Downloads\Hackus_Crack.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2196 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4624
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1740
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4800
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2520
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5173e097352fd80d308db1afa7e21228c
SHA10fc097bc6513f4a5cea4eccdbf614e3e03888556
SHA256fa6b9bd292c6383ff77aca2e86215b7e2aa597f7e0bef8bb208ad708c45b0680
SHA5122ae9fb9929f030d102d12de2b9ba658f371f8d40d3a81ae24b44c2be3b99e72714ee99f7bb30ddb2f0be1b0640aac38c86e4541e2f1db8a9fe287f61da8bfa86
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin
Filesize6KB
MD5fbf981c45aba50a6c6f8520f0c3ba741
SHA1a2702d93e510c7369ad06aece62f6b2931a82caf
SHA25651ba51432510b315af16d4b503578283cb9b1d19e3218e51ab753507dab9aee1
SHA51214d42808e493a2fa63a400ee357c4c2ce7256a55adbb016c236923d7476b84cb03b20cf23221e8df17eb3587b77b3297c96592c2bcf3a18379577a51c680e973
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD511f1956d132c360c69f21f5404614fc1
SHA1fa6728679a16fa0182da62150f796ee9dae7ae9e
SHA256fe95e71b14fa8bb846cffb4e941d4fcfb320fe1f3c78cc03b31a43bec82c137a
SHA5120f92a6583376c49d39b34f61f6eb8b47e78acfdcb8df2c45efead99aafecff8b4dd0e1c3542065c5c4a76bd16300bca63d95bba3075818624a69f896477fc621
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD523a4fd814b5b1257bf9e3574c661ee23
SHA159a2e7898e41f1548a4721d8ba762d1bd613c3ec
SHA256270b37b5974ba154741b2d2ce0ec27fc25efb80830fd28a540d0c0bf754984a1
SHA51217f962c718684345b601a11a179ee9fca80a792896986d87aea946a9d93e30358835257aaf1c3582be8d86fe665f22f0a0b5660b8460e0acf7335c3765829361
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c602061b097f17306328feccdde165d2
SHA165f158470e77065698a2c29aa14816cdf271e4a3
SHA2562f403bf67c231e23f79ed082de5c891fffcb884b5392ba37f8b86ffe146fd7e5
SHA5123fb4ce049a1ec6d313e22d76e0261fb67c165fe0a197ff97dfe6fff1dc416756376ac251c661d67ca35f3d9df9770bd132307d6b89aaf431462373ab08b699a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\32a96d53-9e56-4904-bd6f-654f99b4e706
Filesize671B
MD5c83698d7ae59671a43a307a9befa2520
SHA190b42c9e9a573d0ada0bd5ccd18a96126aeb1d0f
SHA25657c2a413c834537bd0f64bfbd90de69b971bbf1a0242da7d5f6001a076a6d698
SHA5126c161d798fa7d2cd5eb4dfa2833333ad0cedb07945b01893fa17cb0bccac2c8958cbbef5782ade689dd29c4c8dd01d00ae44fe6741aedd952552b94ce079514b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\9a8ed85d-c91d-45ef-af01-378b2e53e843
Filesize982B
MD55aec7403d87d239a9442e8aba0f7a465
SHA193ef199042752db15a7f662e9e3106fbeb3dc2e7
SHA256f4ead8c86ad4aeaaf9956c3ce473dc41e58652e106ceff0ce15d26ff95907dad
SHA512abd0ec3ece2168af6185d340e3be2b2b4d6a84e4e99f1c07f9171cf5af1a1c1af675dd1d5e29662dbd77ae2749a5e0ae75321bcdff016ee37f7c108a302c6f2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\b8e0ce5c-a270-42d8-a081-faba08d1f1ca
Filesize26KB
MD5ba7ffab073cb5f08910135fd05db3fab
SHA15e916fd01043ae59bacfbf0eec0bfac477f7baa5
SHA256c9d93b38390e749b433767687a9415e5c66dbfd8923cef2ef31cdc1426956f31
SHA512306f082b28f9aae6c0622f16fb47c2a851fef7c405310ac1c5ebd78fd9cfc3cb08d8068919b3dc87012111b45a5a22caf8c10444bddf0eac8b2de47136d2f734
-
Filesize
9KB
MD542eb63a10e828c967f509e727126d238
SHA17bbe549d1ea5476a8382ea1fe647fd18a2d56555
SHA2565b9163010553f36f0b9c159cd990740516c4ef121a3665fd3668aea9a7d15e3c
SHA5121e9b4b494c1eefc17873e06a69630d6ad7e0ffa7d9f2a7aca8d7c3d1644b4a7db6339881e101bbf2b7182053bfaf6275bb1e0b25d82440cc347236b7ff810b27
-
Filesize
10KB
MD5db922c0d660e6787d3feae24781f20ef
SHA19bd1323716e8945cc4f47912b89707c3823c7a60
SHA256a3ea49c38746ce86c683fc8af6331338c306dd1330dea910caa140e2c09e2cf9
SHA5128bd27c784e6a1908d97becb2e6f607d03f0379038d09c5318fad5c1c7f2760cabdbc80e873b499ef6654f448150224502ed432c78dcf1285d6633bdeeec4c1e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\default\https+++mega.nz\cache\morgue\96\{78a80fa3-e956-412d-a822-e7c5d6863e60}.final
Filesize1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
Filesize48KB
MD5dc26adf9659a292f811d55a4c4f4bb49
SHA112c84dbdc769bcdc52da3dfc2e9f97e69d3a52c5
SHA2564e0a3b246513dec011ca15aed70017180e06965aaa2e92438b36fc274f2d9e5c
SHA51227865f4e33a018a87ed0dcc08c2656e1bc3995ad0180b6f19b0633f2e1fe68c19f389898ae7087820f1c144f07c541f9ef979b35097b5a2cd610a39cc9f7f6a2
-
Filesize
3.1MB
MD518a25818e80f32a4fbeef9c7c7b54f33
SHA1d851db20db3a24dc5885b370df0a332bcd0dce59
SHA256606dcf2113f21cceb8d48ca294abdf791c37c8b9791e9493434e947b0aca4f1f
SHA5125f0e459ff1978dbfc0aa77b3f9f33f9a9a1718436e3fb107aa3b0b4c1f5e5c48e28bbcfca724d89d7ca6a6d69a5dbdc3435197e79ea91115e8bc776be34d42b1