quasar | 1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s.exe
Size

3.1MB
MD5

c710a6667ea3c649ee266a981893440d
SHA1

064314508d0579b471c568741ce170f1d6ce61d3
SHA256

1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3
SHA512

f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6
SSDEEP

49152:bvTlL26AaNeWgPhlmVqvMQ7XSK2ixNESEXk/idLoGdSTHHB72eh2NT:bvJL26AaNeWgPhlmVqkQ7XSKfxeV

Score

10^/10

quasar office04 spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

per-cassette.gl.at.ply.gg:41388

Mutex

96621e5e-be82-4575-8b94-bb078b016935

Attributes

encryption_key
8372309E4F7DFDD0DD443E979B8B9374D4F2B48F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5032-1-0x0000000000690000-0x00000000009B4000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b2d-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2520	Client.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
3336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	s.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	3540	firefox.exe
Token: SeDebugPrivilege	3540	firefox.exe
Token: SeDebugPrivilege	2072	taskmgr.exe
Token: SeSystemProfilePrivilege	2072	taskmgr.exe
Token: SeCreateGlobalPrivilege	2072	taskmgr.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2520	Client.exe
2520	Client.exe
2520	Client.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
2520	Client.exe
2520	Client.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2520	Client.exe
2520	Client.exe
2520	Client.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
3540	firefox.exe
2520	Client.exe
2520	Client.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3540	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2516	5032	s.exe	86
PID 5032 wrote to memory of 2516	5032	s.exe	86
PID 5032 wrote to memory of 2520	5032	s.exe	88
PID 5032 wrote to memory of 2520	5032	s.exe	88
PID 2520 wrote to memory of 3336	2520	Client.exe	89
PID 2520 wrote to memory of 3336	2520	Client.exe	89
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 1816 wrote to memory of 3540	1816	firefox.exe	98
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 4744	3540	firefox.exe	99
PID 3540 wrote to memory of 3084	3540	firefox.exe	100
PID 3540 wrote to memory of 3084	3540	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2516
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27202 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef6da0e7-7318-442b-9c29-73473818e3e8} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" gpu
    3⤵
    PID:4744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 27080 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35b6bbd9-d9dc-4beb-9f9c-28d05afde452} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" socket
    3⤵
    PID:3084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3208 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7390914-7825-4c06-8551-c796c07c88ed} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" tab
    3⤵
    PID:4712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2532 -childID 2 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 32454 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cee66344-dd3a-44d0-9295-015376921492} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4784 -prefsLen 32547 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1d5049-59d1-44f4-b301-b29f36587036} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" utility
    3⤵
    - Checks processor information in registry
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a954c041-632f-4720-9d79-01ce67371276} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" tab
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5128 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb9e2fc7-7dc1-4ef1-a3af-aa4132fd8c6b} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5072 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01ce8757-8535-4951-ac96-f9d5375534a2} 3540 "\\.\pipe\gecko-crash-server-pipe.3540" tab
    3⤵
    PID:4936

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l38mg4qa.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
d1b56975911f874905982907ba4c6428

SHA1
b02843016f04b12824e640103c184721445d6741

SHA256
fbb66bc20bcd235274f269e4923599f05280ec3d7a78df7f14c154b8917bfdaa

SHA512
06e6c0c548de2288032085ab04f965ccf2278ef01e8a12f9dcacfb80c3ee18ecfbb6183894d12efa92dbfb7d3e3bc7689a736abde45a1df357f9b1c4631f1e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\AlternateServices.bin

Filesize
8KB

MD5
f4f2f6e85304e40bef855ed382d06b6b

SHA1
2599cc97cc59dc81e1377497ca5981131b348b3c

SHA256
78eff3532c2affff46f78d2232fb81304f0d98f5fed3b7c57e3166d2e2600849

SHA512
ce89548272b1c60179b68b8445bced8e832f77a8d5531a2e46c54b399d27cdb4bc06cc10da06083dd7912d268a91c93c5582bcf41e76819b23fb7fa77a907fe3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
5fa1caf14692a5557841d6242f1efcc0

SHA1
ec41cb1144ea3ff2bba77b491c142bbfda354541

SHA256
5c0b9deeb48f9b9822d1cb8566e39b2de19884758309dceeccd55245a5f56424

SHA512
159cfbd69baf3aba10cda31aa2676f7ea8bd07e5d938d97d62b78c19087853ce3e8f80fcc6d7cf24fb9bd06b589ddf5feedeeded1bda64c9f36a1c7bf5a742d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fdc871015d06ee398f912c2aaa006af6

SHA1
3dc52d6ec62a6bc4d443eebb47e136f437637777

SHA256
6fe98bd11f3e9b5b7fee7248f65637cc128733c9f7e6af7976ea77b7ac63b994

SHA512
bfb491a430503b7b4415a15a1195e33d0ea1d4000dda3f1db73ee6541e365170f6f49bafb114e001fdd2859fd9e4a4cc87934535917c0568fc36854422b23c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\datareporting\glean\pending_pings\1c5c0f56-dc60-4602-b120-c5f692713a73

Filesize
982B

MD5
446e7551766a6cfea2aec507fa99db89

SHA1
fb1875990049d939ca8d50157c977af8b6258fbc

SHA256
776295862d688b289c4b9cf79f93219a16006a2fed739ed67a8990c931962512

SHA512
966c35ccfd7af8ba6a5f2b10323f530c1a3df092be1bd56d5a804004aae0f604e70d81e52a41ec6517f70240494fb333167c621611c4f7ba6e165254febe66bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\datareporting\glean\pending_pings\790e56ef-5f97-43ab-b6e9-10a5ce5eee1c

Filesize
25KB

MD5
34a00abb8c096cfecbde5f747901b58e

SHA1
876373035b18159a70707918a5b087136e6e0b77

SHA256
a9a7f96aeb5d1b27e2c6646b8e106d4b191de11dc2b8643ecf43cfc5cb371e65

SHA512
946eacf30cfab3f756af5673f501393a3555ec3bc71a09a8f91c1fd6b8b2adefcd254a92f2aee488db45a71b93504c2652d02dc7c6001640230ab530dc247dcb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\datareporting\glean\pending_pings\c40cc7b3-5b43-4653-9a6c-9294588926d8

Filesize
671B

MD5
538ca054c2c644a9665772be76e60e2c

SHA1
5714653d54b71e4470c7733bca5f92649b712b50

SHA256
3fb1846377c718fbe0b617493282f4ec7a554809529ed71be3755f843a45148e

SHA512
1bd0142a2b46c0352721712de5b15ff4d0b3abe5df5c399d66b5599ab6efde5257460d544d4ff620b1cdef2044fa7792476c23a2054392385602c4119aa050fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\prefs-1.js

Filesize
10KB

MD5
7c5c1a011ce7e99c7293579ad86edc1c

SHA1
f271787945fb0afe8c709cb5dd7853bb65129685

SHA256
99154b54b78eeea62b26d6c6a95f72e92df3181869de08916915f59320cc4598

SHA512
0e88e1097d467443542df342537b954350c997f5fb82b503c0a0e8aebad497ddc5054a55f84f2c07284c9cd59c0c1f2da70aa8f428b232bb73169e92c17a6697

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\prefs.js

Filesize
9KB

MD5
a85913326f4a8cc895cfc1af0626b509

SHA1
2fdaf6bcbac9c1603786a382be44012a9689e06a

SHA256
44fa8471f42e73c91b458cd630e95bbfc72516cca0e2a785383b66f288a67313

SHA512
2597499a38a2b952291df32b3d01b65ab4da5fabe670bdaa20e721b10dc5652839a780f93875e75ebefc62e5cb54392db26b7f46a12ebc6748d620010209a5c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\prefs.js

Filesize
9KB

MD5
f93ea3c5435aa1fd19c13317dd804bcb

SHA1
9408366f641f3c67ff82349bb974da4edbcba8d1

SHA256
9a47cc70e8311818aca4e2d55bf6b811920b6a14fcd87f7c3a0d000d3dfd646d

SHA512
a101f43728f5ba0b61568ee389c3f538ee817a773605862e6157d239b0898082b898572e20f7e1aa2ddedf4290be2b9454822fab7e99723a78c82af9c8b0b922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l38mg4qa.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
fc9f95db0630f718a6b67ba18f7f713b

SHA1
9406090e4dbb290416749ec273ca26f3515b45ee

SHA256
bb58852e9f8452b5e8801e3b7aa53c0dd85f64aed6880d7b0e93ccbd8a8b6077

SHA512
d6402a5015c87aef055bf74631a747e4526d5f05bd4b1a67a972cc19557cea80c2da5225f27a4051f022796b285da3f8212b48bfd54a4616c970d004975d9100

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c710a6667ea3c649ee266a981893440d

SHA1
064314508d0579b471c568741ce170f1d6ce61d3

SHA256
1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

SHA512
f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6

Download Submit
memory/2072-497-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-507-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-502-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-503-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-504-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-505-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-508-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-506-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-498-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2072-496-0x000001FA2C340000-0x000001FA2C341000-memory.dmp

Filesize
4KB

Download
memory/2520-15-0x000000001D470000-0x000000001D4AC000-memory.dmp

Filesize
240KB

Download
memory/2520-16-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/2520-10-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/2520-11-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/2520-12-0x000000001D3E0000-0x000000001D430000-memory.dmp

Filesize
320KB

Download
memory/2520-13-0x000000001D4F0000-0x000000001D5A2000-memory.dmp

Filesize
712KB

Download
memory/2520-14-0x000000001D3B0000-0x000000001D3C2000-memory.dmp

Filesize
72KB

Download
memory/5032-1-0x0000000000690000-0x00000000009B4000-memory.dmp

Filesize
3.1MB

Download
memory/5032-2-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/5032-9-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/5032-0-0x00007FFFC7DC3000-0x00007FFFC7DC5000-memory.dmp

Filesize
8KB

Download