quasar | 129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de

Analysis

max time kernel
35s
max time network
38s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-12-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimbot MTA.zip
Size

1.1MB
MD5

daa57cdeeab30823f89e5349b832a817
SHA1

feb679856d7a4a04d5e1a26e741dd6deb5ee0e88
SHA256

129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de
SHA512

1403f94c54374a91e8d9e29b594b490ff49c16b4bd404148157e7b2a7eb57beced3459e612045433e3b4a0f78aca93d34fe2f4c198fc5669dee85c139273f376
SSDEEP

24576:3bPC4RI32t9KyRPCKNJrYjWj1JkpsnWvWjI7mBPJiOMSeFAPNuHWE:rKsIm3K8voCApsnBnFJirjSU2E

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046191-3.dat	family_quasar
behavioral1/memory/4116-5-0x0000000000C90000-0x0000000000FE6000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4116	Aimbot MTA.exe
1956	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791406316519517"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1006597246-3150276181-3318461161-1000\{D25B657F-CB80-4CF3-BEFF-F3D9FD7FA520}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
4904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeRestorePrivilege	1664	7zFM.exe
Token: 35	1664	7zFM.exe
Token: SeSecurityPrivilege	1664	7zFM.exe
Token: SeDebugPrivilege	4116	Aimbot MTA.exe
Token: SeDebugPrivilege	1956	WindowsUpdate.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1664	7zFM.exe
1664	7zFM.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2012	4008	chrome.exe	93
PID 4008 wrote to memory of 2012	4008	chrome.exe	93
PID 4116 wrote to memory of 2684	4116	Aimbot MTA.exe	94
PID 4116 wrote to memory of 2684	4116	Aimbot MTA.exe	94
PID 4116 wrote to memory of 1956	4116	Aimbot MTA.exe	96
PID 4116 wrote to memory of 1956	4116	Aimbot MTA.exe	96
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 964	4008	chrome.exe	97
PID 4008 wrote to memory of 3520	4008	chrome.exe	98
PID 4008 wrote to memory of 3520	4008	chrome.exe	98
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99
PID 4008 wrote to memory of 4056	4008	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aimbot MTA.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1664

C:\Users\Admin\Desktop\Aimbot MTA.exe
"C:\Users\Admin\Desktop\Aimbot MTA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2684
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1956
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff9fa6ecc40,0x7ff9fa6ecc4c,0x7ff9fa6ecc58
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5252,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4844,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3244,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5452,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,2064696965779732280,1456943380805910946,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:3092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3175c587-8fed-47e7-b6de-75b154479069.tmp

Filesize
233KB

MD5
d096527e811105cbad0581d33f77e394

SHA1
8688c1dd81e2c982609fe1e01716b5f7b4868bd6

SHA256
ae16ebb01b3f0a67714366d772cf50f5f26944f88fe9b87b443c559551be59eb

SHA512
65b8464c2ed9644d1320cb67f1a77cbaf1b9d149a6e35477f85c00177f7f13fd142086e7beb42603be78b3306a11d81080e824fc50b1c6e055bf6290cccddc88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3f2fe54477f2f74f07f43751a96b59e1

SHA1
74591c99cf8ef137ab07b33c9205b8cd42a3d843

SHA256
e3d505c635fa0c12ba5143ed86a40812ef519d7298ed3d41b765ca798b09e16c

SHA512
8d6f3b24989f6f23e9974b95fdad18f655c3d42d29d05605e5e3edacbd55345c957a5298fdde7966fa24d4ce1e8ead7ddaca22df06c610fe6f3334b8e6b5954f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
187c0842db50bebe9c7e31e8dbc4e64f

SHA1
6040983c3110db72ecb40af6c65ebc94f91328fa

SHA256
576fffacc89d675fddd0185113051b3bff470170290c41d8206a5222bc982068

SHA512
2662c3ebfee0cbf2e9c945b91f96bba5a61e31b4dfae6502b324a28eea4f3604b7a8145eee45cbe494d90a9520e948486d352ebccd665c340c0624af17489612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f362bb78993cb92a8b0eaaa98eaaf5e

SHA1
8c056070961f0924ed15972e70de245525c637f8

SHA256
5a2cb1a91435facecf2bd22fe12eec191524dbae003b9608203923be41b09490

SHA512
69ac9ff0072ea477246c9b4bdd42b7e4314df98b04d8cdd52fd0eb822056524a246e80c92ff92f4f646ed6af5c0fbd97f70113b0b3f7f15916120150cc96a84a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb16c187aec725e462ac01d6a40d5e0b

SHA1
7481a30228ccd58f60107919f0ddc5de47b02e5e

SHA256
3ef08fd5fbb8c14f17888abb701612f6310342f2bb8e88f65c9adbd04c710d5a

SHA512
7d6787d147dd8136270819717a1becb4cee3c24e11da9dcf984e4cc978047804840007824988949dfc060353479144b3fa8d6cc5e8cab9267a0d723c676be921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
60d14d3e14def8cf09eb5b7f0a7cd06c

SHA1
2a1db44542c78e3d7ecce8a71b26fb9515f0d9b0

SHA256
19da7c551c8a1e603c54c49b47e868c2e203ba1a4d740b91eeb60070434aa38f

SHA512
da270e53216445b762014e7bec5bd7346be43f6ce3ab13d7240e8fb565e55b703a7b0bea98217a3d847f84009080c2dd75835af89d938023198aa5fc1211dc2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
b90854f7cd535cacbaf5739a7f6d133f

SHA1
e66e1edded408c6272f5f11b332f1dc06e2723ed

SHA256
5adfc1b127d45740cd24b37e5157ef2c57e08d5f6d16568a888cd1ab78b63c28

SHA512
23fad882488a65073483c263e6e2749f368536ce7e623d1c4e0d5b0e0be43d40be0e18e7fdc39e491779d518be19e970d37e1d7b28556eb44a2c80dcb3b52e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
3dc5da4b5a5334a1effc0e10bcc222dd

SHA1
1a9901437bfd29b1c938e8a338d68d068ef9e739

SHA256
67e1df375c78c186d907f86c52dbe76cfc37203483bf1c4f95541398f9a67b3b

SHA512
c71f6149bb25bd7a0dbe33b0b392accc7cbabe3a6c7e8a6fd9f59f2d2952777cb9290a206f240926dc7ad0dd4019530b88415aa73460306535f0adccfd9ffb0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57e4e2.TMP

Filesize
119B

MD5
29742d35f089d6b08db339cedeff443a

SHA1
114c34727959adced19e43b1c1637fafae02741a

SHA256
064a1295db4284fc5f88d5f261c0f3be8f7efe3bc5dbe22b629decea36db4050

SHA512
e69d0fba4e9765a072e45516d0266f3e4a6123c2cb59620c991ca729eb42cf033c278f6f9b5fcd4444527aeb99cd32f5191581ededdd2baf0b102524325fce1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Desktop\Aimbot MTA.exe

Filesize
3.3MB

MD5
232fbce8fc20397039e7115d6736c5f4

SHA1
ec3f9e41474a0e2597c5aec4be25158ccd2d4c68

SHA256
f9a036faaf0d8069cad71070e3327f2b6318e7026338c32eb46dc23c18ab1291

SHA512
b00d44a3fc0685b917a50008d66efd44c697692a7f02b2bc18f3c325642a8bb94d5966bd66d21fa045aa24d02a88600b3b66122e3a3f6309b3854f6820bc41de

Download Submit
memory/1956-39-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/1956-40-0x000000001CC50000-0x000000001CC8C000-memory.dmp

Filesize
240KB

Download
memory/1956-36-0x000000001CD00000-0x000000001D228000-memory.dmp

Filesize
5.2MB

Download
memory/1956-35-0x000000001C610000-0x000000001C6C2000-memory.dmp

Filesize
712KB

Download
memory/1956-34-0x000000001C500000-0x000000001C550000-memory.dmp

Filesize
320KB

Download
memory/4116-14-0x00007FF9FFA10000-0x00007FFA004D2000-memory.dmp

Filesize
10.8MB

Download
memory/4116-6-0x00007FF9FFA10000-0x00007FFA004D2000-memory.dmp

Filesize
10.8MB

Download
memory/4116-5-0x0000000000C90000-0x0000000000FE6000-memory.dmp

Filesize
3.3MB

Download
memory/4116-4-0x00007FF9FFA13000-0x00007FF9FFA15000-memory.dmp

Filesize
8KB

Download