quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
70s
max time network
74s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/11/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045049-2.dat	family_quasar
behavioral1/memory/2200-5-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2200	PORQUEPUTASYANOSIRVE.exe
2940	Client.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772474145586814"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
684	schtasks.exe
3200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	852	7zFM.exe
Token: 35	852	7zFM.exe
Token: SeSecurityPrivilege	852	7zFM.exe
Token: SeDebugPrivilege	2200	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	2940	Client.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
852	7zFM.exe
852	7zFM.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 684	2200	PORQUEPUTASYANOSIRVE.exe	90
PID 2200 wrote to memory of 684	2200	PORQUEPUTASYANOSIRVE.exe	90
PID 2200 wrote to memory of 2940	2200	PORQUEPUTASYANOSIRVE.exe	92
PID 2200 wrote to memory of 2940	2200	PORQUEPUTASYANOSIRVE.exe	92
PID 2940 wrote to memory of 3200	2940	Client.exe	93
PID 2940 wrote to memory of 3200	2940	Client.exe	93
PID 2984 wrote to memory of 1244	2984	chrome.exe	99
PID 2984 wrote to memory of 1244	2984	chrome.exe	99
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 3448	2984	chrome.exe	100
PID 2984 wrote to memory of 928	2984	chrome.exe	101
PID 2984 wrote to memory of 928	2984	chrome.exe	101
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102
PID 2984 wrote to memory of 3284	2984	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:852

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:684
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff0d9ecc40,0x7fff0d9ecc4c,0x7fff0d9ecc58
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2336,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2320 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4384,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,215563195579836595,15692551097192020102,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2796
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff6a90f4698,0x7ff6a90f46a4,0x7ff6a90f46b0
    3⤵
    - Drops file in Windows directory
    PID:4916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4ec7d565541cffb83ef1c7887cd07018

SHA1
cf3ed220b36e4a27cd0f153f7c61b60268d160b9

SHA256
94f7c03b4953ec6b94e5e87d97c85f73d916628a25616a3feb2d68b7170bf1a3

SHA512
3013df0d2c11b3b911856fe5f47f7192c5d6704835991d3c584a372339e823be54e2df5572e9ac6e276af8db12b230865170bb422f383b3883420f41c249c444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a2742ae64c22b65476e7c95226db4abb

SHA1
79bd122bfc3fee1291ed26dec2ec5f556e993c8c

SHA256
0b973a0baa9173b701644ea950c03fd41412b8e71e533d6b665fa1baa3a1e0a1

SHA512
faf0b312962b86612a79bd4ecb625810cc999771e0d0c2f7046c443b4c9b9e18e0d65a0d1610915f17cdb8b0e6fc614675e5070c38c37cd356b73fc3785a5cf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bb9846f52fbe9fded3bd563a6285c956

SHA1
8180fc47ffa4270cdfab270a383de4dddd675be5

SHA256
97826fc1126334e89ea3774982e6063472fc53103139ae49eafe15ca48e6002c

SHA512
785708abe16a112d183d4fd290328f24b589914f1d7dbeb5aa0f0a733d5f774d1e7b213986997fab7c8741b804e7b17e5cdc3bd9d8cd73fa9ac31249fcdcdfb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65d28574e5831ae51d64a823501a8346

SHA1
98fe5133525222cc41f4d3db99b9261088bcb5c6

SHA256
cbe597622329d54fc1d6fee430ceb2e77d2e2113a47b483ce75ad4663b08e1a1

SHA512
ee5a316ca5cd665d2752458ee7c053cd5d59406928a2223927727a4ee2e7312deba89387791c4da26e695182baa13ce3aae9701394e316fa3a4cc08a6b437e45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd078ddee5ad65ab6090739ddd427f92

SHA1
918176a8c8aa8dc3d3cff871695402f655a4e9bd

SHA256
ae5afe61f462aaa973468256c762fab276b63f39287ccae0dcd6a9470fde2b13

SHA512
4d36ec1bb18ec6f5d80c1a89100d67a20c83f2e7bd665a3ce85c8b4142cab9e86c8902d7c9596e54329b13a811936e903411ce17cb5861fc8c49dbb40c29334e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
63bcbd38f1a538ff77be0d67ad4fbee9

SHA1
74bb3e734a8df53504b3b9dfbed5bccef3eb95a8

SHA256
06f600578ab80478c582e38f4a7b56016166c91f279b5d8f8c5d2b55f165718e

SHA512
be1d528667a831bce5dc48282f600962353975637b5479f3cf0a800feb59d89608918926ab222bc5134ed3c56739611b48499a38fffea4f1ab23730158544df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
7d401001b0d919f0aec0a387915a7e03

SHA1
07def476606262dc509d040925334b97cc37c4b0

SHA256
ce03d96ff8087020421b04b758dc1020ac9b575fb126afe4f78ab5af719ca2f9

SHA512
44c6772e7f05635eb2df925e0bb136c7b8e867d4afe7990760ca30d79fe2590f0bc423871ef9dbf9e86d35a2235895da87a377c0e58c610d5cd708e15d4bfeb3

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/2200-6-0x00007FFF139F0000-0x00007FFF144B2000-memory.dmp

Filesize
10.8MB

Download
memory/2200-9-0x00007FFF139F0000-0x00007FFF144B2000-memory.dmp

Filesize
10.8MB

Download
memory/2200-5-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/2200-4-0x00007FFF139F3000-0x00007FFF139F5000-memory.dmp

Filesize
8KB

Download
memory/2940-10-0x00000000028E0000-0x0000000002930000-memory.dmp

Filesize
320KB

Download
memory/2940-40-0x000000001D9D0000-0x000000001DEF8000-memory.dmp

Filesize
5.2MB

Download
memory/2940-11-0x000000001C4A0000-0x000000001C552000-memory.dmp

Filesize
712KB

Download
memory/2940-14-0x000000001B330000-0x000000001B342000-memory.dmp

Filesize
72KB

Download
memory/2940-15-0x000000001C3E0000-0x000000001C41C000-memory.dmp

Filesize
240KB

Download