quasar | 129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de

Analysis

max time kernel
27s
max time network
31s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimbot MTA.zip
Size

1.1MB
MD5

daa57cdeeab30823f89e5349b832a817
SHA1

feb679856d7a4a04d5e1a26e741dd6deb5ee0e88
SHA256

129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de
SHA512

1403f94c54374a91e8d9e29b594b490ff49c16b4bd404148157e7b2a7eb57beced3459e612045433e3b4a0f78aca93d34fe2f4c198fc5669dee85c139273f376
SSDEEP

24576:3bPC4RI32t9KyRPCKNJrYjWj1JkpsnWvWjI7mBPJiOMSeFAPNuHWE:rKsIm3K8voCApsnBnFJirjSU2E

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046191-2.dat	family_quasar
behavioral1/memory/4868-5-0x0000000000660000-0x00000000009B6000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4868	Aimbot MTA.exe
3924	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133799834518399724"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3604	schtasks.exe
444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeRestorePrivilege	644	7zFM.exe
Token: 35	644	7zFM.exe
Token: SeSecurityPrivilege	644	7zFM.exe
Token: SeDebugPrivilege	4868	Aimbot MTA.exe
Token: SeDebugPrivilege	3924	WindowsUpdate.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
644	7zFM.exe
644	7zFM.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3924	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1644	4448	chrome.exe	92
PID 4448 wrote to memory of 1644	4448	chrome.exe	92
PID 4868 wrote to memory of 3604	4868	Aimbot MTA.exe	93
PID 4868 wrote to memory of 3604	4868	Aimbot MTA.exe	93
PID 4868 wrote to memory of 3924	4868	Aimbot MTA.exe	95
PID 4868 wrote to memory of 3924	4868	Aimbot MTA.exe	95
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 964	4448	chrome.exe	97
PID 4448 wrote to memory of 2572	4448	chrome.exe	98
PID 4448 wrote to memory of 2572	4448	chrome.exe	98
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99
PID 4448 wrote to memory of 2104	4448	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aimbot MTA.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Users\Admin\Desktop\Aimbot MTA.exe
"C:\Users\Admin\Desktop\Aimbot MTA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3604
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3924
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9fa7acc40,0x7ff9fa7acc4c,0x7ff9fa7acc58
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4352,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3360,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3260,i,8013723229057308590,17615546779631932227,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dbe7f5f6a761e6de2317ce7a74359ce6

SHA1
d874ec2acea3913bbc9f829952e4b0082275ff01

SHA256
13ea9ac6fcd2760be2b5151b0f2bfb8a0c74b786f91fd2ef7153bf0134586f86

SHA512
0967f33753976a5eed66b53659bac67964d4e17d0f0855c3a1393541ac01c7c7814e467e65c3a2d34a2522b5881510e14b5f27e0b7662d715cce88f0a75e91a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d389d6ee99007696d53e05cec5243dc6

SHA1
ef1879624486da07932607477df6e0fd3b7449e8

SHA256
99b400cbcc200a3d02b4eb8dc0b9148f2f0b6dd8bb278f62078d6858757e1eed

SHA512
68644232c64e4e57bf06d23b1a23f29e0e1aa13fee681822f7cb091afd368870c7786b72f8ca2448dc6aa4d8dfe5698a590352bf920f5057c04b6d66b7cb60a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
cbde1348faa7dcf7a65e42b21643ab44

SHA1
14e081d457bf06f5d89c3cad277bfca0c1c28221

SHA256
8c56c39f78cdcb8e90f2b63809f2e61eba0a0e6ee6a6436005f5d79a041c09d2

SHA512
4d428d1c7c621ac7a17f548efd97d230876090f0a378fb3da81ef3ea5e470febf4cac7a3c68aaff4b51a98318cd633415364f7b794ef37756416408b495535a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4cf64ef659e7e7dec8b38403131a9a88

SHA1
16e14c80add39a377197237ecc91331462adac42

SHA256
dbb60c0c078a177c4e3cfff2f29b25278172e9b5302315fb263844bd3a91baed

SHA512
1799e57cc9c94eb5ad1f35cf5b707afe3007c4d4a451bd22bdc7197d93f201ff78ca10d6242425f7feb20c5a7cc257cca2ead004964dc2ad1b5fe050994c8248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
65297bec94708217ef9b4b510d3212a2

SHA1
442edb9c075b95bbc8898fcc8317bc20fedd5c94

SHA256
ad83a1c561a27321f3a55ef91d9ba77582f06df13a0151541a82bfa72893ece0

SHA512
232a9e39776376aa9ca993627ce84929f6cd424c51fd7b07571d727d61e9897613064c7d0c69618c8dee15eb964253e8dae07324e963c55392d8e04afaf13976

Download Submit
C:\Users\Admin\Desktop\Aimbot MTA.exe

Filesize
3.3MB

MD5
232fbce8fc20397039e7115d6736c5f4

SHA1
ec3f9e41474a0e2597c5aec4be25158ccd2d4c68

SHA256
f9a036faaf0d8069cad71070e3327f2b6318e7026338c32eb46dc23c18ab1291

SHA512
b00d44a3fc0685b917a50008d66efd44c697692a7f02b2bc18f3c325642a8bb94d5966bd66d21fa045aa24d02a88600b3b66122e3a3f6309b3854f6820bc41de

Download Submit
memory/3924-35-0x000000001D020000-0x000000001D0D2000-memory.dmp

Filesize
712KB

Download
memory/3924-36-0x000000001D710000-0x000000001DC38000-memory.dmp

Filesize
5.2MB

Download
memory/3924-43-0x000000001CFC0000-0x000000001CFD2000-memory.dmp

Filesize
72KB

Download
memory/3924-44-0x000000001D620000-0x000000001D65C000-memory.dmp

Filesize
240KB

Download
memory/3924-34-0x000000001CF10000-0x000000001CF60000-memory.dmp

Filesize
320KB

Download
memory/4868-11-0x00007FF9FF9F0000-0x00007FFA004B2000-memory.dmp

Filesize
10.8MB

Download
memory/4868-6-0x00007FF9FF9F0000-0x00007FFA004B2000-memory.dmp

Filesize
10.8MB

Download
memory/4868-5-0x0000000000660000-0x00000000009B6000-memory.dmp

Filesize
3.3MB

Download
memory/4868-4-0x00007FF9FF9F3000-0x00007FF9FF9F5000-memory.dmp

Filesize
8KB

Download