quasar | 51a46ec8ab5c2ce8120574862856431ae0fe43835614d7451254349c8449dbd2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

3.1MB
MD5

1b686abfb9749a3afc474b35358777a7
SHA1

9ef8295007e94c46a51a834fc28d5149be6e172c
SHA256

51a46ec8ab5c2ce8120574862856431ae0fe43835614d7451254349c8449dbd2
SHA512

e487f734eed472aae2c850b89a6eafa4d03b1617ef5a19775feeff2710d5a7776babae7b723b8e64af1ee799db4d080b3f1044fd5f395f5303a2783545e506ad
SSDEEP

98304:jve92YpaQI6oPZlhP3YybewoYaM9oQ6D:LO/w7ayoQ6D

Score

10^/10

quasar amogus spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

amogus

192.168.1.8:8800

fdb4:f58e:ba38:2e00:d8b8:db52:2626:c864:8800

Mutex

7f37811d-9003-43b9-bdc7-ed884a935046

Attributes

encryption_key
39AED3F0C038C369268A1B952FEC319172EFD62C
install_name
SystemUpdateServices.exe
log_directory
Logs
reconnect_delay
2000
startup_key
SystemUpdateServices
subdirectory
SystemDataForUpdate

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4288-1-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/files/0x000c000000023b84-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2960	SystemUpdateServices.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3588	WINWORD.EXE
3588	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	test.exe
Token: SeDebugPrivilege	2960	SystemUpdateServices.exe
Token: SeDebugPrivilege	4448	taskmgr.exe
Token: SeSystemProfilePrivilege	4448	taskmgr.exe
Token: SeCreateGlobalPrivilege	4448	taskmgr.exe
Token: 33	4448	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4448	taskmgr.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
996	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2960	4288	test.exe	86
PID 4288 wrote to memory of 2960	4288	test.exe	86
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 3160 wrote to memory of 996	3160	firefox.exe	112
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 3876	996	firefox.exe	113
PID 996 wrote to memory of 400	996	firefox.exe	114
PID 996 wrote to memory of 400	996	firefox.exe	114
PID 996 wrote to memory of 400	996	firefox.exe	114
PID 996 wrote to memory of 400	996	firefox.exe	114
PID 996 wrote to memory of 400	996	firefox.exe	114
PID 996 wrote to memory of 400	996	firefox.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Roaming\SystemDataForUpdate\SystemUpdateServices.exe
  "C:\Users\Admin\AppData\Roaming\SystemDataForUpdate\SystemUpdateServices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SaveTrace.vbs"
1⤵
PID:2944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnregisterProtect.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 27196 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c288c9-f2c7-4671-8feb-313eca8db756} 996 "\\.\pipe\gecko-crash-server-pipe.996" gpu
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 27074 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9fccca-cff2-4d01-b8ab-6e437e107a7c} 996 "\\.\pipe\gecko-crash-server-pipe.996" socket
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3400 -childID 1 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74f70931-cb5d-4e75-b77e-2d6808a9131a} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab
    3⤵
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 2 -isForBrowser -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 32448 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c093ec-a1cc-46d5-a1a8-c043ddc62c38} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab
    3⤵
    PID:1424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4628 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 32448 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b6297c8-847d-4e3c-bd55-8838e1330b4e} 996 "\\.\pipe\gecko-crash-server-pipe.996" utility
    3⤵
    PID:552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d16cadae-196a-446e-b116-eb6541a265b4} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab
    3⤵
    PID:5932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {037c07a1-6700-44a9-afd0-5523f0011fc0} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab
    3⤵
    PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
7be2dd38cb0438ace9f84409e7d923d0

SHA1
c256ced795cdce3fbf285e9567cd7f2c76886ec8

SHA256
0496d04dc24555d0724b7fcf65704c6dab66a448b9305185ce1509bfb2a0203e

SHA512
fea55c8dc95f43515acee40783483be2d308748ad0595f0e756931cc3b692ad0483c2724d72fa7bab1dd17e3177c2b42704f5061e552b9abadbf58a84516d224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dee9f522a23f6058947d81f8c55c4f22

SHA1
7328e9a59a6a63ebb079488700e9ee72bfb494ac

SHA256
98d2fc4c2c1603280b46099a9308313a35fb2aebe6c42bf1e120cff1da5e1a82

SHA512
19c46d2de91e2da09b8a60d87e43d43fba4284cf1cca64586d5fa2003e8859a24723351c462419a79ef10c6c75cd534e86b51899ca9b8a376239cef90fb7a159

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
20cbed2452f2cf4ae48fcc27e80487e9

SHA1
4a0d9d557a87f397251d609be0f604c5fd13b4b1

SHA256
38fa93b5e464a035764d9fa300e0e4572d6a9e70c88eed2850d37960ed3e1908

SHA512
5b66d4bfc6e6c951121e71c120c76c65ceaaaea17b47dab8cc7cbead1ec91a30113e68fd8e6c26b6acb7add06ed64d7d90bac7b1a7a75951dedd2269bad8e080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\datareporting\glean\pending_pings\a96d7ab3-7a97-4ebc-9132-06e1d463e8dd

Filesize
982B

MD5
597363190de381875b1bfe01e1f43ca2

SHA1
18d17e1f4ba0a0fbdbe945933cdb0f5aab61c97b

SHA256
9e62e8d843d7b11699fcd49957c55050562ea0c0fcdc88e67464f76e1ce5d023

SHA512
ba5bb32cbaf27af547fb87894bae1b2622ec1d4e3ac85604f0b2e9fb075005008495297c2ab3eaf4a010a7401248f4e5e47e179cca7a1065d73017d3b2791dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\datareporting\glean\pending_pings\c22d9f8d-cc0d-4a61-b862-76842f5b2a46

Filesize
671B

MD5
c7f94c58f944bd69f1fb2393d16068ab

SHA1
07be553d8be98b2b4ddb25005c8a0845b50fd8c6

SHA256
1d2b3c81b098e8f043f1357df7e4c74ec975c552d390857778d8e79c8de87097

SHA512
9235669728f1c22b54851b079291704fddf74324e15a4a24a0cbf05cc91330a7ba0d0a4666990f14dc7f0400e6f3f72a9573caf1cf041940fd82521723b25231

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\datareporting\glean\pending_pings\f640b90b-3888-43f9-848c-93eb1607a9b0

Filesize
26KB

MD5
c67fd7b13a99f0683b170e582732b170

SHA1
be68d729c1ac01818a2097008d44117222ed4fd8

SHA256
df4668ece1a89fec17f171f32065ca7b95774dbb350e035305d3af515db677a3

SHA512
5e75c6fade16654e8c9ac92adcbc752de33ef67119624ba77125ab90f3befdf0bc340d54714ea2e3d41fdb724da5d9f5c250300589126bd5986f5938bcdcbd4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zg9z7n.default-release\prefs.js

Filesize
9KB

MD5
6eb8af4df236a30c655f47a35911880b

SHA1
c2bfe2d8b53148a8764ae18f92e414e6c28d4521

SHA256
b31fee00c5284a65438ad552ec04419b07e50469e7f1e1de0461fbfca182f063

SHA512
942de0c95e0554b2f2815584dbb9094799ad5bdae76ad3df49760310c03d154b8d1697ce902bde3c83cb56716eb172c4d7230294354be22f6be103060c045af6

Download Submit
C:\Users\Admin\AppData\Roaming\SystemDataForUpdate\SystemUpdateServices.exe

Filesize
3.1MB

MD5
1b686abfb9749a3afc474b35358777a7

SHA1
9ef8295007e94c46a51a834fc28d5149be6e172c

SHA256
51a46ec8ab5c2ce8120574862856431ae0fe43835614d7451254349c8449dbd2

SHA512
e487f734eed472aae2c850b89a6eafa4d03b1617ef5a19775feeff2710d5a7776babae7b723b8e64af1ee799db4d080b3f1044fd5f395f5303a2783545e506ad

Download Submit
C:\Users\Admin\Downloads\ApproveJoin.DVR

Filesize
477KB

MD5
c7b6cb02760420ed89ba23d7cc8aa19d

SHA1
da4b991cb666360e725869dbcf2ac81aa3acdb30

SHA256
4d6a104f825089ebea3d4f8296ac9f1cda22c300bb82d8304c1dbc4aee98e05b

SHA512
766508e12dd0ca774f2d80444f4f8a456d0bf28fe19f8be982bc49f1de3929ce7d284f485db72134a6b3993267222efb8783275b12e7ca764b751f55322a25a2

Download Submit
C:\Users\Admin\Downloads\AssertCompare.jtx

Filesize
290KB

MD5
1fed97461990e2495e10405e0e404e90

SHA1
761239568178cb47a2590cf90565673c826538f9

SHA256
c1514671de1cff5323cdb668e2faf1c6fc85d3e2bbac628c684dfaddf2348056

SHA512
a303b682274ab228dc3e75192f943e76194c6d4bfbefcf4c3e47992463f5c016a58571dc61d553a1a2447aa18c16ff64e37eb3dd43342f6a2a31d9819c266379

Download Submit
C:\Users\Admin\Downloads\AssertSync.xht

Filesize
426KB

MD5
060bccb6c7d8abd1367d7a13824c09ba

SHA1
5632b4b5bf97ad6216bbbc4305fd43e2b691a403

SHA256
341f1ecf7b3aa1c9e103a5051826a96afcd586102312806d3134c957d328cb78

SHA512
c1caba8cdeeb5d36d7147ab4727912a99f13f67a24a96c5e5b366d646d0f2dd9e916298b79831985c010a2f5b620c53bf3753599660b1218de6da079e0be3cc6

Download Submit
C:\Users\Admin\Downloads\CompressTest.svgz

Filesize
255KB

MD5
d64a74d2eb6eea18d2347aff68f16df1

SHA1
537f08e6dc1a8fbbefc759188522b2e5c1443249

SHA256
ae0f9ddd16851d724c22088b714645118da1cdec5b79d02cb3c22ce62a7b35f0

SHA512
59b906b4271345ad69a0ac6982644115f599376999c1ebf0d6e287346303e121ab1e04b51c14e0b1cb49975d14c91e8c6ded719491592b0f23e5009d88abad1f

Download Submit
C:\Users\Admin\Downloads\DebugPing.ADTS

Filesize
341KB

MD5
064839720ffab366a5ac933978400e57

SHA1
30bc7346b8bd2eb0a47fc48d3670aff92e42009b

SHA256
02701b8d8fa56a7a544e860667e1691bc433eab27ce985a1e09640ed3ee091bf

SHA512
09903165a7a25d3e167cf6c7cf3c268fc4af3df6533741b747785b7082cd87d97b378c39340e1af2132d458fdd304404df3b6de08d964359df2347609837735b

Download Submit
C:\Users\Admin\Downloads\EnterResume.WTV

Filesize
460KB

MD5
b57fa5e225fd07dd5d2b180ec2156ec0

SHA1
169b0f59e64d188780c7f4f13c9d11dd008c81f9

SHA256
6aaecef1f2daa5f9f2e6c33e0f5b5924c3035ff737dc434dbdc5f468c7eaa84e

SHA512
0ad18629d1d67ec6203689f6c8ddec1af1a23c53c799474dce76aaca75c0d4a96a66c0d123784d68189d5ad70332b945fbdb0875a0f9002ab7365c0ea9ea43ea

Download Submit
C:\Users\Admin\Downloads\FormatUnlock.sql

Filesize
631KB

MD5
89e25d6e598db961535ce135456f03b6

SHA1
3eb88de2693b50bdb6d21a088e355de53b95f5ae

SHA256
ecfd0937a825fd1ce7e999c5e919c57ef1e3c76673ec43f8cc0735ab6ab98ec4

SHA512
7bc057fb2251a6ad36121962a2d717fd4ff58e1c905477c6b5536c9ba3cf4ab8d2da4b4a9ea9676a9a6192447e1e934cfb3bd9ce6f7eb7a407d693cc8137ba21

Download Submit
C:\Users\Admin\Downloads\GroupReset.search-ms

Filesize
597KB

MD5
db58b010ce0b2f7b113fc2a3894652c2

SHA1
f7160a5ba7e7015026906f4a35691584a425b51a

SHA256
846b15975038e9772c2131c1a58ca877e3b93a074bb6a40b6b7dc967ab09026b

SHA512
a0e9f89a9c3b017e6b85dafe4c9ac17d6cfe650038ba450177f94c098d6c23a458266e8e2933c0434380b43685ff3d13fc409acaaf99eee7cc6252dbf3ff48ad

Download Submit
C:\Users\Admin\Downloads\HideCheckpoint.edrwx

Filesize
273KB

MD5
47879ba8700b7bffbf79131c35e2d594

SHA1
28d3468078243c4e9a19657ce3f86f7dd1ca9e85

SHA256
9a6d0b522656615515ff3f3c6e8006e93cce83a2052f9d1fd6b289091ecf78f2

SHA512
8ac7aa7f5eba910cde0427ce65b2c121b08f81bb2bfba9280e1d737eab411eb0e4f16222bf9867e18644c9ee75a7efd8bf790d781065e309daaf2be830ca43fc

Download Submit
C:\Users\Admin\Downloads\LimitUse.ADTS

Filesize
648KB

MD5
aa775193be83142ececdd6caeff19291

SHA1
be01ea56b93eb316b4270b03e787520598792aa1

SHA256
867906b2449eb4041cd8e18087ac94f2f5e1fa60dba5279ad17bd49449331eee

SHA512
d60a566d4e41c86e147c798d02a5d5e08f4a5c2ba112d966ee580e4b62af7725dbd430926f244dadd955c8fa8bd229e63623eccf437700033738bfde6a5521c8

Download Submit
C:\Users\Admin\Downloads\MergeSet.dotm

Filesize
1007KB

MD5
dc20e2dd3f4e3dc01b5d9d77fd0ada18

SHA1
70412a3a1783f1f56856b2fd2fd1b9d038aa0ab9

SHA256
b70a1ee260766618312c60deebe43c8c722888a375421560475222d5a9ea4b9f

SHA512
103ee915682d4360d7838d20f2276b8bbda89b53cf3074b59d3ccc13e356977d06cd7e95c3a38305db394d27d66527a4243530fa276bd02c1a5afc06113d44f9

Download Submit
C:\Users\Admin\Downloads\MoveBackup.mp4

Filesize
443KB

MD5
c7eeff7765b98056c9fc608cc4932f78

SHA1
17159f069970b07638f7eda8f69958909a5ab1ad

SHA256
6ebe1436ad45304c107e6c84d0367c654d64c092ba6d5bcd3e4c1bdea309731e

SHA512
f7466463dd3affdde17c5818cd1289bd80d5e5b9a34443eefc19b96c8386f80e5829f59dc2259a4c55b54ee2a4dc29dffc844d0d7193b604a6c2f513a70ce676

Download Submit
C:\Users\Admin\Downloads\NewProtect.mp3

Filesize
358KB

MD5
1e2c2ee4fc625e0ba9b3e3c74141ee3c

SHA1
d4b343150ace15fc932a6373fe312309ef92f725

SHA256
1544e5f2fcd3341511f82bfcb2ec47080ed5357059e2e41c0a8bcaeba7995ba8

SHA512
cf130d95ca31655ee2bfade11ccae4be5595e411e66e7f9fd1d40fa16a515d85789ff2d4b1843027f87db891968249373f4fdc043701d9bd024689f68bc0bba2

Download Submit
C:\Users\Admin\Downloads\OutEnter.xml

Filesize
733KB

MD5
57b6333cce85246b63875c2a9d595fdc

SHA1
228f83fa31e73d7a83767e614fd4ce69b1996253

SHA256
9f1cff31bbbf64f240fb430e4ac34ec6dff22f77bb4b74ba9837066f247a7509

SHA512
842b96afff966d5b54c3040123e3b8dcdb16974d8b9995629c779c2d6b4ef1081050a24390b832b67ad62af987cf5425eb5b908e38d1fcb8a5d887899f1e5b95

Download Submit
C:\Users\Admin\Downloads\ReceiveWrite.jtx

Filesize
511KB

MD5
d696f7b1dd2c6705312e8b4c488984c0

SHA1
a11393924826c21fdcb57ee46502ee5c9289ca91

SHA256
c923b0a4bed720af0689d684038159aeb97e37a9dc496aaa9e0171c78b69df92

SHA512
0ed50558910e67341ca68c13658a7a62dbaf99bae1a5960de152921be5cb295750bdbb6e368e019bc46b2d7259c14f6f3c7dd87f3f5be8265192d03b734fb202

Download Submit
C:\Users\Admin\Downloads\RedoRestore.mpe

Filesize
307KB

MD5
e93e9c42e0b2c7cc4ad2e604c4d2f264

SHA1
a6f1ab280371201d279bba68012cccf345964cf8

SHA256
080833078a6f13048533e1583b8fdcf9772feaabddb7f9a2e4ee7d1a70be1df2

SHA512
9372909eea833d8a7750a29c8c7ed3d7eca0d1202e4aea3e4cab7a3996e91e6f04eed11c67785e35b88f0b989c248a26a6d5e6e4eef8bd5c6fab8cab5bf6d181

Download Submit
C:\Users\Admin\Downloads\RemoveMerge.midi

Filesize
716KB

MD5
cf46966b6055c77bc4bb1436385bd3e4

SHA1
051cad94fec72e779d4389323d4003d854a20610

SHA256
a164aa03dab455636d3648e42715de72be40c49ed10995fbedb2abbea5278687

SHA512
6d273a961efa2d868a8ec3489884cfb26896bbe1aa56e2c017e1a457a1b09ea930d484f41d79e8f7b8d29c832178081751818346c2c03754a11c70d1c3564160

Download Submit
C:\Users\Admin\Downloads\RequestExit.mid

Filesize
392KB

MD5
bf584eb814b65b2cac79f17114580c80

SHA1
8146b5ddb5db45d453003584767fc73dc931b713

SHA256
f35143d9c830288fc10e99532b2e4aa3260b9dffc276916fde945597c0ff97cb

SHA512
6e563d7a72f08b2dd0262e14ee2dca998dbe2fe2935c3fba2034c6308cf6b7d876314347624cd83b0bb0f35a502da4c7a6f70bebc04558d440cf84aa9c82d582

Download Submit
C:\Users\Admin\Downloads\RevokeNew.zip

Filesize
375KB

MD5
287519d62f2095759fe831ed0623c54c

SHA1
cae0b0dffb483bab572524569168013936c0704e

SHA256
02209c3bf4c41f6e8b905b482d8b9f8d1c73b2861c172ef45c86eccede35b24a

SHA512
0ff4920d71d6572311f03110d2c025cca8af2f50bb3a16d0019576ad37d6615f7f1f99a8d3afc98fec20df4ae40dedcd3b30d46814b99be100a0c6d610ed1fad

Download Submit
C:\Users\Admin\Downloads\SaveEdit.lock

Filesize
563KB

MD5
e2805f10cdb6bafed299a74506cbd43d

SHA1
c8a46904cf3512da8cfef3c4ea5080da91fd376f

SHA256
44a544ec57ee08c8febb8241e8a4d6f72f8c782689a288972f67b387cd88b57c

SHA512
d131c73ae7e884927ede79a950090add7e5ac966564ecdba1b6999a67a1e60d8c17eaaaaa05f19656925b444028535c81b20e11d4b322ddc2ace495368e1b727

Download Submit
C:\Users\Admin\Downloads\SendConnect.dotx

Filesize
682KB

MD5
7dd6e05a59bc0c57d1e1a9e01582030c

SHA1
e4e1686aaa98f00dac702c69e5740efe215d0b4e

SHA256
c5a9f0c2e126c5cd6ac725769c75b41075b393106feef8b2bc9c47b9c1270952

SHA512
60962bfa04daae2a929f95a9fd0d2f8aceaf7942d958549723bc764119c741b59a94f60a04d5f4c204e7836792d2bfd3bc1fbb73be1bb06e6ec26d7f17810bb1

Download Submit
C:\Users\Admin\Downloads\SendUnlock.aifc

Filesize
324KB

MD5
88b67dce85ccdfe1d9c557b9cdf45fd8

SHA1
b404c677dab5b4c3ca6a5c36e6d896474a648e07

SHA256
b8223c8c20e2a6d49c7015489084815b7bc3456fcb15f69d572efec7170767ea

SHA512
f9277fc102a44a35848df9f66c8311632787c9034bb9da5ec387236947ea97632baedc94bc0bcfa0b4bf9f1207aa93908bad8c720cb6c16d0f7101bf0ac0c834

Download Submit
C:\Users\Admin\Downloads\ShowGet.3gp

Filesize
665KB

MD5
2babf4e45ef8c51fc21785ef5a19716e

SHA1
933277aa92435e3dc66467d170aff4ce090cd76f

SHA256
09d1ffdb152c95922fc8d376f53dbd865e8c600c064cefa65d58b2172f77ef82

SHA512
8f65bb412b17c46b40746a84580f5370d127cd29c85bafa612aa0b16196918891deb07c03b6bf095418ca5ed9bd900ed528a2cf3492ce37bf8fb28a9f5938cbe

Download Submit
C:\Users\Admin\Downloads\ShowRestore.vbs

Filesize
529KB

MD5
14cfdd8ba162c78d919d7b4af9c653c4

SHA1
efae915b743872d3c5be2731be265f0b772850c2

SHA256
d84be7bca8eae2b087f47b5d8a9ab068a0da135ce2a3bdc8396d3601b3bc9369

SHA512
948254245bae46c314fa7ba08423a707d1570ea7d8b3e9e02ff329835af94cca98aee3afae6e29a17f1dc6c4f27d8842329237531f6410858c4a07e29a3b12ef

Download Submit
C:\Users\Admin\Downloads\StopRequest.mp2

Filesize
546KB

MD5
2c0a6f1d45d4081c0a1d8376b1dcfe1c

SHA1
18f5ed19f61decfa18708f903f60c49c4aac75a7

SHA256
f42e5b0c22d4b0b58dae7c8352a4204773f780f8180ce78cece8315cdf993ac7

SHA512
a4101575cb5e0c2dd732773a0b5a9df62789ab615efe5177372bebd85af0ac4fa9af0e9ee23e34c67e1196da4b7f20c280f672c30b37fd3961603606ce455dcc

Download Submit
C:\Users\Admin\Downloads\SuspendPush.rtf

Filesize
614KB

MD5
cff51015067b603faf63b76b3fac280f

SHA1
773a721c8404b2a3b94b0d50e12d5d1929ed8ee5

SHA256
f77cf698a5b97f710b6496a2beda96eaebd83417564e53b38a3c2338b376d324

SHA512
9a59833f3f2174f9182dc33c13cddf5b83a7d07b02b5421121c26ac31a80fe36904ae3ac5e28225a9e33334cd45de38a6a2dad67b232c30e8d9ae63c7abedaa5

Download Submit
C:\Users\Admin\Downloads\TraceSearch.au

Filesize
494KB

MD5
297ee82e74cf109aa595b7fb2bcbe557

SHA1
d315e47206e1b010246868e79843630baf1242aa

SHA256
2864adb06348d5cb59647819b60a17f30c4f6a7f6d4ed60840a3667b5999e1bc

SHA512
93dd4ac5d6ac64d4740d5fe2887361a6dc48e66d6827185466347f71d999980a3957e661a1bdce1d2df624c09725538a866f97cc6c7071cda75354e3fcad0508

Download Submit
C:\Users\Admin\Downloads\UndoUnregister.3gpp

Filesize
409KB

MD5
5473aa54937b95cfc8e078446c3bca00

SHA1
66c3f4fd6a306d61148fcf7163d35f0858189dd9

SHA256
3cdeac557a9b2664fc883512b6fd2ddad01407030532a51069ec68dbc1d8facf

SHA512
a4e9493f90264aa9f4e45fc912dd6551b13a7fb5925465ef6c0fb3ea692ccb515bf22e17c2dc6c893f34ec7ccb02d355607598fec2fe7273ed31200dcb56de74

Download Submit
C:\Users\Admin\Downloads\WaitSubmit.3g2

Filesize
580KB

MD5
5f987635478bce5852b3e82258cc227a

SHA1
a39559259969487dd33eed1e2b9c8c5d24248b88

SHA256
2717e86617c70331e08a09f2be6d53d9c1a78d685f26f9980e0b674c2ff67dd1

SHA512
c3e9f36f84834c055e4ed6cf62bbd22e024863309801f801b983dcfe782b853aaf6a75c8d83166cfb79f43f37150c9933892b745fb45aa9edf778fa860bb85d7

Download Submit
C:\Users\Admin\Downloads\WriteRevoke.xml

Filesize
699KB

MD5
31688ba42bc1924b093a22490613ada1

SHA1
cfb9397399d00e675dff24e1b1914c0baee05207

SHA256
aefa2f4607c5aef6b3e267c0b6627424ed0b32b60359105f4696b3aba43151d9

SHA512
43de4a4ef706d366c63ee8214d4fcd7dc710034cba68c64e9bf065842904abeace8c3916f95f74771a34227f63368f3c3b84316425b410be99ac97dd405521c6

Download Submit
memory/2960-10-0x00007FF805680000-0x00007FF806141000-memory.dmp

Filesize
10.8MB

Download
memory/2960-11-0x00007FF805680000-0x00007FF806141000-memory.dmp

Filesize
10.8MB

Download
memory/2960-12-0x000000001BE40000-0x000000001BE90000-memory.dmp

Filesize
320KB

Download
memory/2960-13-0x000000001BF50000-0x000000001C002000-memory.dmp

Filesize
712KB

Download
memory/2960-14-0x00007FF805680000-0x00007FF806141000-memory.dmp

Filesize
10.8MB

Download
memory/3588-16-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-19-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-46-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-48-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-49-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-47-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-21-0x00007FF7E1510000-0x00007FF7E1520000-memory.dmp

Filesize
64KB

Download
memory/3588-17-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-15-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/3588-20-0x00007FF7E1510000-0x00007FF7E1520000-memory.dmp

Filesize
64KB

Download
memory/3588-18-0x00007FF7E3710000-0x00007FF7E3720000-memory.dmp

Filesize
64KB

Download
memory/4288-0-0x00007FF805683000-0x00007FF805685000-memory.dmp

Filesize
8KB

Download
memory/4288-2-0x00007FF805680000-0x00007FF806141000-memory.dmp

Filesize
10.8MB

Download
memory/4288-9-0x00007FF805680000-0x00007FF806141000-memory.dmp

Filesize
10.8MB

Download
memory/4288-1-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/4448-62-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-61-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-60-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-59-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-58-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-57-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-56-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-50-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-51-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download
memory/4448-52-0x0000014E71EA0000-0x0000014E71EA1000-memory.dmp

Filesize
4KB

Download