quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
95s
max time network
98s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-12-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0028000000045090-2.dat	family_quasar
behavioral1/memory/1548-5-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

PORQUEPUTASYANOSIRVE.exeClient.exe

pid	Process
1548	PORQUEPUTASYANOSIRVE.exe
1836	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776457135452061"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
404	schtasks.exe
648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
4840	chrome.exe
4840	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exePORQUEPUTASYANOSIRVE.exeClient.exechrome.exe

description	pid	Process
Token: SeRestorePrivilege	3896	7zFM.exe
Token: 35	3896	7zFM.exe
Token: SeSecurityPrivilege	3896	7zFM.exe
Token: SeDebugPrivilege	1548	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	1836	Client.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

7zFM.exechrome.exe

pid	Process
3896	7zFM.exe
3896	7zFM.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1836	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PORQUEPUTASYANOSIRVE.exeClient.exechrome.exe

description	pid	Process	procid_target
PID 1548 wrote to memory of 404	1548	PORQUEPUTASYANOSIRVE.exe	86
PID 1548 wrote to memory of 404	1548	PORQUEPUTASYANOSIRVE.exe	86
PID 1548 wrote to memory of 1836	1548	PORQUEPUTASYANOSIRVE.exe	88
PID 1548 wrote to memory of 1836	1548	PORQUEPUTASYANOSIRVE.exe	88
PID 1836 wrote to memory of 648	1836	Client.exe	89
PID 1836 wrote to memory of 648	1836	Client.exe	89
PID 4840 wrote to memory of 4400	4840	chrome.exe	100
PID 4840 wrote to memory of 4400	4840	chrome.exe	100
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 5068	4840	chrome.exe	101
PID 4840 wrote to memory of 1768	4840	chrome.exe	102
PID 4840 wrote to memory of 1768	4840	chrome.exe	102
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103
PID 4840 wrote to memory of 3152	4840	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3896

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:404
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff945fcc40,0x7fff945fcc4c,0x7fff945fcc58
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1824 /prefetch:3
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4404,i,8504090880026914605,2350093759276322792,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c1bf890916bf25cb00afb53ee8e22310

SHA1
fcdb63855e983dce7c9d7dbcc7f505e28cb426b6

SHA256
1211840780559a857d5665432a886e9b17c3fe02e9fbc4cc365da54dcdfd2021

SHA512
a162e36d3f61d6bd23f5adfe9c6e7425eee6da7fb3fec3ba54b992a5602a9e281b22ca5264e5584e3ac239a5548482e3e6526b0c33b348fa512077f5fe26ef93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d2be25441c9cf9d6f4aaa63c3ec8ffee

SHA1
cda5cc990badd6ad5e28f1493151e3833e0d7c8a

SHA256
5e756e61ad1ccb4a2af0dec304207497212b0c010f1a0744b1c6f1bfcedb5d33

SHA512
c0cf45b079aacc4962d4dc173c1b7bb7b1b1dfadda8cf17bcd6f71899e700805faa7e3b4de49bf0ec736320ed118f85b040d247b53b94cb82a78ad5c01db066c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2998c3c735cc9508e06d38951dc025f2

SHA1
f1e8f0a420bbc6f3efbb44a6f55a783e11afbbe5

SHA256
3c2ee438fc574783c8ac7e086d5be230d02e893387a224cd6191fad0eab16022

SHA512
a6da04aac4f9267758a596341bedc6ae11c4644f667cee25e76648270e41d50c5f36b3ca96137e02dd9912a1cd6e604b81cfac6193f826f66ee5aa6a882aaa72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4aab8cdd32ed2a3a64b02c69c9612fe0

SHA1
e7847b5596095fd59b16f306938dfc5d5d783b32

SHA256
4e9dbd9ff88741fbe8eceeac28731418090a2dac73eeed5edbc45ddc5aec4391

SHA512
2d1a87d5fdf56a88a9b80f2dc13b3b8fb5124a37ffa0c94d2b9ed928931a68e6609243a9b54ab38b8ffb420cc8e8c82faab1dbf606499a54b5608417f5c71cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45349129e819f4b7a71f85740f313ec3

SHA1
fe1a1a4a7a241842a6cfe51f8f9e6493315b04e8

SHA256
75e987f2a0fb4e898fdcfbe8b8644eb6f69e957332bc5fd4fd2c6c20eb2167ff

SHA512
1b42c1799626daf9920a6672fae0d8649894807f76d55f5e404811ee0d6ad03aac9b2e725fb6c6bc6c9314cab8c077ab2bba527e3d65244b2bdd811129eafa98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1d9c5c5dca1e487883f601519b53f72

SHA1
2d60c403f3e47e0fc27c95403dd4cbeffd41b4fd

SHA256
a65b3eb7677254c7fffdab24183b76dc048f32fd3df9a9d81200a6f48cfe683b

SHA512
b7ac40fc2d69015bc8f5b33f83d0db00db7e20583df516e8c3ab065fb8beca388e436e84b5965470f50d42dea1218361795384cbd314ef780a1bcf762f4203bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2d7fdd05bc2dd9ee4a1bcebf968e599d

SHA1
7c949ffceeaea986059cc83cb1b363602b7faa62

SHA256
acb6fd4885738ef81cdb2cf6adc2bf122799b7b0a459a70a572b94ceb25b1ad8

SHA512
4c6ed97a8761cb7aa89c7c06dc49a40104fee486dd9d34c549925ca8bddb8132adbfb9207166124e10fa1e3d4c89458448bceb229c4f08f7c7e331baa5f6d635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
384c4f6d424d40de6575acbd5e1abffc

SHA1
cdee0538e444d1f238c2d31f4073f7fc53925973

SHA256
13cc9a46ebffb233f8de029c6645b203ad8bfe92aab94021dc336da57c5264e1

SHA512
417cd27ea52767f9ef33f907843cf644848aa938d8e19283f8d36fb7d07f3a11f3220d7eee4b712888408cbb6404757e585d1c6333ffc1e690aaf187b3e71954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
d23905e4ed1e2bad21aa61358160db17

SHA1
4d3418fc4ff5bc80d6524a926b03164a84d359eb

SHA256
d1dee8c485074fa2740f2eea182f9254156e1f8f12102ad3708ea166123419a6

SHA512
36e96b2ebc7e543f874978cd2cb8639def9f1284f432c4a20fbb2575a9f1ecda1635f5c6420d89f996f2ac77473abedbeb94ab11473134673713feed02b6750b

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
\??\pipe\crashpad_4840_JFZLAXEGFUEIIUAV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1548-6-0x00007FFF9A620000-0x00007FFF9B0E2000-memory.dmp

Filesize
10.8MB

Download
memory/1548-9-0x00007FFF9A620000-0x00007FFF9B0E2000-memory.dmp

Filesize
10.8MB

Download
memory/1548-5-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download
memory/1548-4-0x00007FFF9A623000-0x00007FFF9A625000-memory.dmp

Filesize
8KB

Download
memory/1836-10-0x0000000002AC0000-0x0000000002B10000-memory.dmp

Filesize
320KB

Download
memory/1836-58-0x000000001E220000-0x000000001E748000-memory.dmp

Filesize
5.2MB

Download
memory/1836-15-0x000000001B5D0000-0x000000001B60C000-memory.dmp

Filesize
240KB

Download
memory/1836-14-0x000000001B440000-0x000000001B452000-memory.dmp

Filesize
72KB

Download
memory/1836-11-0x000000001C970000-0x000000001CA22000-memory.dmp

Filesize
712KB

Download