quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
161s
max time network
163s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000450ee-3.dat	family_quasar
behavioral1/memory/2680-5-0x0000000000C80000-0x0000000000FA4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2680	PORQUEPUTASYANOSIRVE.exe
3216	Client.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768921173790049"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4248	schtasks.exe
4616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
3216	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4272	7zFM.exe
Token: 35	4272	7zFM.exe
Token: SeSecurityPrivilege	4272	7zFM.exe
Token: SeDebugPrivilege	2680	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	3216	Client.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4272	7zFM.exe
4272	7zFM.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4248	2680	PORQUEPUTASYANOSIRVE.exe	93
PID 2680 wrote to memory of 4248	2680	PORQUEPUTASYANOSIRVE.exe	93
PID 2680 wrote to memory of 3216	2680	PORQUEPUTASYANOSIRVE.exe	95
PID 2680 wrote to memory of 3216	2680	PORQUEPUTASYANOSIRVE.exe	95
PID 3216 wrote to memory of 4616	3216	Client.exe	96
PID 3216 wrote to memory of 4616	3216	Client.exe	96
PID 1032 wrote to memory of 940	1032	chrome.exe	100
PID 1032 wrote to memory of 940	1032	chrome.exe	100
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 4448	1032	chrome.exe	101
PID 1032 wrote to memory of 1080	1032	chrome.exe	102
PID 1032 wrote to memory of 1080	1032	chrome.exe	102
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103
PID 1032 wrote to memory of 3312	1032	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4272

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4248
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff88d53cc40,0x7ff88d53cc4c,0x7ff88d53cc58
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4732,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4392,i,4049002854097072877,63421881177320790,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3fc15488-0d6e-4998-bb83-8517f5978d12.tmp

Filesize
15KB

MD5
296f6982334bde9c8b9532b3c8c3cfa4

SHA1
dd265d520524cccfc375fc3df429f1e057f29ff8

SHA256
9d81646cd1a35221c754b835fd5fa174a4e10ea1513d1ad30313c356161e2218

SHA512
42f769ac42cd22f88aaadd20b340f13d7918b288a7f86a3b2b6e997dc6d26a474f9b7279d5b86d862b3a9cbedeae8646d558f7d23b07a9600671ed79d6aaee61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
82bee5fef65d00439f0a44f346c3fb8c

SHA1
85942bdc0b9a377509ebe028dc5c3c27f79a1db7

SHA256
f506a7366534a564cc75a164415b50eb484a1baf465af4829f1af43519f00e33

SHA512
d8852ad1da94d778db3b185c637cf94f61821b62c5dc5263729229a14b6b05ca91010e15e74afbaab312e2d5574cc2f6685fb49f7594a23198d666a3b160dced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
4f820e457b1446dc004d3f320285a611

SHA1
9a8223db2dbf286d6971d5527448d5629e8e1d4f

SHA256
61305ef9148090721a1cdd7982d67213e77ae89174a039df035469c3fdf8760a

SHA512
f482bb8a521d4a3d6f7ec51d12335a2b5cbfa98c253fcd3bd73f050e4bf27ea8a3e20751f16b804efae688d44a1a7ef8f23c7572058e01002322ed7f6a57b79f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5b91189926be06d7be78b2b9b05a11b9

SHA1
3e61da3a822c643d3d93bde04ea87061eabe0c0c

SHA256
3afea33e325357b0e8183dd91a5f8198a04406d61387bec3b01cba9cc4a73a33

SHA512
97edb297e566949d412a7f865dbddb3c025bbce69646c0abc5e7b5c26ee103567f87e3f240b31c48a98d457e762a4e8701b6664114e1f8e517330f309f2c6baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5b60deab7355042c9aa1cc37d3b86e3c

SHA1
0854a9443c9baec0ea4f8bdf3e073883530a6ccd

SHA256
8e40c0171ac9621419a523ed9e7aaed85ecbe20ee6e2ee659686ae9737299a77

SHA512
2ee38b6d532eb361b8e0ccbc97bd3c386dd6267d9b789e67ec24f7ac1cec9ef4959dd42188cb8ccd56e08813568dfa6bb5293f2f6848d334229636dd1aa08f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2793edcc2b24550bb43d764b887c241a

SHA1
f2867c2011ec723829635ec18d464c767333401f

SHA256
e38991f1b668f3a1f6029b2c9278be87048f76b958e0d606fa26b790ebcbab81

SHA512
e9546fd058644b2e278bfd22ead3c34d699de96824d32aa7feb431f488f7f411d2f4491029d3e51fff314eabe32b9850202ff17e599e5fea5fb1ca319bc0afdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29db780e59b3029ad9ad384813b42e83

SHA1
b09d9ae48b3d5cb58b297c4ac6a25eb9f36cbb8e

SHA256
f0c10b6a08f3df6a717655488aacc41e3067a72c824d6abe75884fee37c0809a

SHA512
6f9188cd5e6aa62407825859d0dca711191963fa29d033b9d068db68cfa8cb4f5d74306e01050fe0e26ad034bb75088a0a579b59df5f45086f02e24d53f3a839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e09de3f382744c49fba7fcdaaa89992

SHA1
3561b450d9a3781da426047889564d37002708bd

SHA256
f49021c07505e97ba528b39b6f78140bc1d078aaaa6d3d33e293a01255063898

SHA512
bad5e1503994e7735f44dfcea2949a28b8960b46c6b96f7c869155e418b0a4fa1dc696e27250e0c596a89cd46f8aa28aae68cb946eb0a874f9f05674bb6fd5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b05cc23e5d9b8dc749374ce62d1175ef

SHA1
290f1f8c6ccf9d1dd4643682cdfa86bd6009dcbe

SHA256
a2d62f42a66d81321f125a34c40fac3e7c2beb06ab998cef278364e6dc7c03d3

SHA512
81e226d6636453a3a7b8a1b71706c3a1ce090b6584622226d881fefea7cc056bd6116a0c9d206a022dda6d10184cfea5327b7ee354d07a90791bee12c260eb6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5e0d66a79038378eab49176a186c255

SHA1
5348abfecabe32421c4755b74dc5d9466dfd5b4d

SHA256
df2d3b200b957ce07c7ea00ea37762de55cb9ca4310d1ad5bac2bbdc3f81584c

SHA512
1649780eb731772c1b413bdd2d62fc75b6d1056c82f2351b2f6228056954747b16856ff70afa2cef959b15d0b3c29d511d2df8594cc185389e4cfc0de8ad77c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
327c89da8cf5619f14665d3f5402e65d

SHA1
2ecb81f2384de8a1c14882b81684bd2e371a17ea

SHA256
cab363c079e7a8d9c86682d1b19a5b8baeca41d9697450e89729acdfe62e7843

SHA512
5610fc96393f37b47b63468dbe9b0e87525dc0f139f6319af1bcf16503d139364ba302272772faa806a0d48c501c82f8b7cb88a18bd4cf2718ac9704c4533489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
80ddbbef00afb5c9626fdd94dd72d0f1

SHA1
0861e477a17ce350689178e5db001bc4db4497ad

SHA256
916788cf405ee67b336ba772d25ea735815c8fe7fe3907c1122aa178e59796cf

SHA512
d122244dddb5881452b8a3ebe0963ea45154fb431a2e1d37a15442e669ce29722e219b82b1b6234f573a88f1194cbd069248d9e660868478b536d09963a4c8e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
2212e2ac4bea7e379703467b686a9fd7

SHA1
5ff72cbac3055a5bf0c1345f9fdcbda5061edb88

SHA256
69b688815f3b3b3f123ff31b8d838007033d26414a8cbab70980c75fc9d91106

SHA512
7f0403aeb0456f020f803f14cbf569573841bd5acaec912058e0e9e48bc5ca3ee15bae15cf85e2e82281f79adebf52cb804adcc49d64d75e1892ab31d6726e76

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/2680-4-0x00007FF892C83000-0x00007FF892C85000-memory.dmp

Filesize
8KB

Download
memory/2680-9-0x00007FF892C80000-0x00007FF893742000-memory.dmp

Filesize
10.8MB

Download
memory/2680-6-0x00007FF892C80000-0x00007FF893742000-memory.dmp

Filesize
10.8MB

Download
memory/2680-5-0x0000000000C80000-0x0000000000FA4000-memory.dmp

Filesize
3.1MB

Download
memory/3216-40-0x000000001DDB0000-0x000000001E2D8000-memory.dmp

Filesize
5.2MB

Download
memory/3216-15-0x000000001B5D0000-0x000000001B60C000-memory.dmp

Filesize
240KB

Download
memory/3216-14-0x000000001B570000-0x000000001B582000-memory.dmp

Filesize
72KB

Download
memory/3216-11-0x000000001C7B0000-0x000000001C862000-memory.dmp

Filesize
712KB

Download
memory/3216-10-0x0000000002AF0000-0x0000000002B40000-memory.dmp

Filesize
320KB

Download