quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
87s
max time network
87s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/11/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004501a-2.dat	family_quasar
behavioral1/memory/4320-5-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4320	kreo q zi.exe
3968	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753060248355580"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5044	schtasks.exe
4640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeRestorePrivilege	2844	7zFM.exe
Token: 35	2844	7zFM.exe
Token: SeSecurityPrivilege	2844	7zFM.exe
Token: SeDebugPrivilege	4320	kreo q zi.exe
Token: SeDebugPrivilege	3968	Client.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe
Token: SeShutdownPrivilege	4264	chrome.exe
Token: SeCreatePagefilePrivilege	4264	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2844	7zFM.exe
2844	7zFM.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3968	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 5044	4320	kreo q zi.exe	91
PID 4320 wrote to memory of 5044	4320	kreo q zi.exe	91
PID 4320 wrote to memory of 3968	4320	kreo q zi.exe	93
PID 4320 wrote to memory of 3968	4320	kreo q zi.exe	93
PID 3968 wrote to memory of 4640	3968	Client.exe	94
PID 3968 wrote to memory of 4640	3968	Client.exe	94
PID 4264 wrote to memory of 2396	4264	chrome.exe	101
PID 4264 wrote to memory of 2396	4264	chrome.exe	101
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 3436	4264	chrome.exe	102
PID 4264 wrote to memory of 4760	4264	chrome.exe	103
PID 4264 wrote to memory of 4760	4264	chrome.exe	103
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104
PID 4264 wrote to memory of 3444	4264	chrome.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2844

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5044
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa0878cc40,0x7ffa0878cc4c,0x7ffa0878cc58
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2092,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2104,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,18297551732818362267,13847502351538298407,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\15f7c646-a361-40fe-96cb-c2c7ce174163.tmp

Filesize
649B

MD5
13b5db5d89a9168fb0d1d6794941cba3

SHA1
57592db2b4bfa50317395091b700ec96ca408985

SHA256
4bb3055191ec7d54c0246edf0c7dccc82a03350e8e10652aa6e460992a5bdb19

SHA512
cc9a3be02b44874bf14020ec8d8bceb878fa8d8b24a64202432a6473d7a39df9d32c4d8c5e007a1a24271a194c2d9208da52af1c81cd13c5cdfb56d1cb9c26e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4af98948-459a-46e9-8954-2a8b762c7e7b.tmp

Filesize
15KB

MD5
fa0e257496ffe2d4d3833d1bacdca0c3

SHA1
aea04e185e7ff09c1a43b27fe4fb2eeba927c9ff

SHA256
8130eabfe01df036eb71837cec7c9c7a466b8da2ec77a2b451d6e36684172cda

SHA512
9e8c11ed5c399fbf5c34ce2f180693d3dde3ab5f27574f420caa854144810088fc2783b6e7e10239bf317863deafe6e43b381d9f45979d2ab9ad8d0c5ded1fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f0e0f3f68ce16b290830c9470d86e5c0

SHA1
d9050821fb652973d6ae8a5434226781788ca0c5

SHA256
855d405618c2493729c620294528db49ab593f70aba206829d7132cfcbb0c68a

SHA512
79bac9c48edce46f8e35c0bab9fedf602dbb4e1ca55f7d5b6b4f9dfd1309e657689163cd0410f68fc44be1265c4f2d3cbcb74eaa3680640ee9006fc8be7813fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
42b1774e0a8369c0d30f6fccd010eb8f

SHA1
e031d464665cb647029fc38237f0b26e2c39ff75

SHA256
98b321a8891a7c82a5283d64bc36d41093e473618a8555847167f1c2f4168e65

SHA512
b8c29cd8d8915f6a7de7e9f279911501eaec82262138f57bd0ef3aa6e4c24850a5df8e4f3b394823a774d3ff3e607d88599060dd812ac28aed53bfa492a6a91c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e824d64e68063219bc8472eae68a0715

SHA1
2296ac13f23755bb50adc5786332fc8c70ebc96a

SHA256
2047f71ad1c781340cabe8cec03f598fc7af1879e2002f503ca14110bdb37139

SHA512
75536cada4d48c956ee31abac067faa9cf28186230e958562bf12575994294ad51ef860a8d0267c967b42802a740148859af524b0be89872de9dc7ea4966690a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
53088eae3ea01258235ffd86044c9503

SHA1
0b4b88f66fbd8d143b365fb43c5628e53802ddc9

SHA256
29ee864ec1775df14c5ef6537e0870e0dc381121aa8d1df8d0bb56275d265ca2

SHA512
848f60acb707b990a01b44972f5bf063c9e39f0fac83a39142d3388510080f76223748d165ff3f96e19bc1a262c97d2ecfde030570ab27cca9902f98e2698a01

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/3968-15-0x000000001CC70000-0x000000001CCAC000-memory.dmp

Filesize
240KB

Download
memory/3968-14-0x000000001C0F0000-0x000000001C102000-memory.dmp

Filesize
72KB

Download
memory/3968-11-0x000000001C170000-0x000000001C222000-memory.dmp

Filesize
712KB

Download
memory/3968-10-0x000000001AF00000-0x000000001AF50000-memory.dmp

Filesize
320KB

Download
memory/4320-9-0x00007FFA0ECC0000-0x00007FFA0F782000-memory.dmp

Filesize
10.8MB

Download
memory/4320-6-0x00007FFA0ECC0000-0x00007FFA0F782000-memory.dmp

Filesize
10.8MB

Download
memory/4320-5-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/4320-4-0x00007FFA0ECC3000-0x00007FFA0ECC5000-memory.dmp

Filesize
8KB

Download