quasar | 129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de

Analysis

max time kernel
123s
max time network
127s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-12-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimbot MTA.zip
Size

1.1MB
MD5

daa57cdeeab30823f89e5349b832a817
SHA1

feb679856d7a4a04d5e1a26e741dd6deb5ee0e88
SHA256

129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de
SHA512

1403f94c54374a91e8d9e29b594b490ff49c16b4bd404148157e7b2a7eb57beced3459e612045433e3b4a0f78aca93d34fe2f4c198fc5669dee85c139273f376
SSDEEP

24576:3bPC4RI32t9KyRPCKNJrYjWj1JkpsnWvWjI7mBPJiOMSeFAPNuHWE:rKsIm3K8voCApsnBnFJirjSU2E

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045037-3.dat	family_quasar
behavioral1/memory/4292-5-0x0000000000550000-0x00000000008A6000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4292	Aimbot MTA.exe
1264	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801138211370056"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3520	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	chrome.exe
456	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3932	7zFM.exe
Token: 35	3932	7zFM.exe
Token: SeSecurityPrivilege	3932	7zFM.exe
Token: SeDebugPrivilege	4292	Aimbot MTA.exe
Token: SeDebugPrivilege	1264	WindowsUpdate.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3932	7zFM.exe
3932	7zFM.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1264	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2696	456	chrome.exe	92
PID 456 wrote to memory of 2696	456	chrome.exe	92
PID 4292 wrote to memory of 3520	4292	Aimbot MTA.exe	93
PID 4292 wrote to memory of 3520	4292	Aimbot MTA.exe	93
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 2112	456	chrome.exe	95
PID 456 wrote to memory of 3260	456	chrome.exe	96
PID 456 wrote to memory of 3260	456	chrome.exe	96
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97
PID 456 wrote to memory of 2752	456	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aimbot MTA.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Users\Admin\Desktop\Aimbot MTA.exe
"C:\Users\Admin\Desktop\Aimbot MTA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3520
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1264
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2876
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    PID:2684
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:736
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2404
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies registry class
      PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc153ecc40,0x7ffc153ecc4c,0x7ffc153ecc58
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5336,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4736,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4748,i,8908850543430925972,1616300490717498660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fc2d0c0fe98015746b767f14575408a0

SHA1
ef077117e7d33256eb943845601f1abd19988dd6

SHA256
c850f118c5b97f0548293c1fb5973220534ea0f0106fb0851cbb5114935c785d

SHA512
ad74b424eaa450e750e15d9dee956de20c856bd03a9f24e75914110281fcd478dea9b8dd796380a80ca65934952cab92db3ffa92df0c92b653975c5333c3ed96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
8d91ca9d08b5ce8792edaafd33ba44a5

SHA1
629f3a4e615a2e2afc721c71d0afd38860d9de09

SHA256
98bee0e34d79f061381cb3f6bcd668fba12b5871be9603d69768bb0bb228ee94

SHA512
0ba354aed4637beaed8f6df8dfb88305e09834d4ce6e52ac9387be74e7482538b382c334148ea124b6d492ab50f079c52d3fa684d0217039dacc39e3814ba931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6404715e5541acd7351d106c42f10685

SHA1
22fa664d628de23cf059565141af079f81f4cf6d

SHA256
7928cd70e11d39b41ef3825f178a3bff88931c09f77a157315031176655dedd6

SHA512
d4be42acff3f5c6811a57869a016811488a254a2e5269addf9a57085581761dc47772576695afea467cb8df464037d839d00aca5a06d5914637d3b11db93d91e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
54c136b3b32914547a3b80611208c9f0

SHA1
cd57bfc1940e00f7dd52c2844e16f5dba3e72576

SHA256
7b0057d0bf028704f5b1130e1db70ad1eb1d43268b6fe24c0de435929f2cbcf7

SHA512
02d438b20a9729b194769c2b2c262e5d2b02369df32fa9783b2cb323c418cdb2c429fe698aa3a66318fea35e55061856ad41feff682e5a28cc1f956e7bcefaf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
eef800125021f38f97da87e97e9ff4a2

SHA1
fa9b5aa7d132d2aa7ce9774d298d491c4cc3c022

SHA256
58aaa0edc0888ef82b1c27057b9d98a2c836acdab920d59de87221843fca1545

SHA512
a52996eb517d4febb1c34dde4f536b4c118b4aaaeacaea912dd8eed1acd7db5cd4cbbf8f11f31c206c8b2ddcbbf9bf777fbdd8330e5322f29a5a26028899bf3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
6f164c0a2342bec4cc565c5b7938e923

SHA1
e26e85734cca2aebf52931bb79e032f01ccf7a1d

SHA256
033bbe6f13c793b9b333b36cdcf1ad3a4369652d6201f1f35a3b8c6ca316355b

SHA512
b012dee8035c7a4934ad0d606f4190aee28a84d60498a4b50ca54a3ed925e5f1606f5d322bed8e656b827397bef92cdf07d3759a2dc07d2109fd0d869e8be79a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66ab0bac2eefb898956ec961c33eb052

SHA1
b0cc366b06adaba72ab0cf0f1e41b5f37722226b

SHA256
19e7311d57f429e3a527b4342cc3f6b259a4b052bd0e982c97b8d98e4722a0a1

SHA512
87ce9e2104d4836185840bdc8bf89ee75f7a43811c1810d2d81f140209057defe43b705c6fb9efb2d63b512214746e6e985b860bd5489ca41ce9492b72b69545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b493cfbbad0ba1499bfa9995a60443c

SHA1
3e3b76c1ea08e10df86b26b7a0471f60c0ac5d34

SHA256
790c4be1cd8fdaafee3f78424702578102d437aa0e1e1947106f539a6c8f66b9

SHA512
7ce30bd84c683660e9c9becb35312eb60ea82c73f92a7f2665eae2300a3b3fe40d64f3d7b98b254fc2ae1816312d74f6d5c28f0a5c6f3ea971a25052e4729a59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72ff58c9ee254bfbd123bba96f82c9ad

SHA1
5a68931dfe7874ca21eb0ae26b403489b56c5f61

SHA256
d8c6dabc2f740e895a84d42af38f8123de30278e5cff04851b056a4c69b6b7cf

SHA512
e0960e2a1101632246c06e676e369cb096436193115ce6991b49cb9a6539e5539a23c4d59ebacae213f6cf5689991c522d2bdc0af7fb47915bbf664c0f40351d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99882fffddf34fcabbfac069e37b5de1

SHA1
86bba05bda4d2361b2b88adee4d9c98769a78ab1

SHA256
faad29bb7f49f029789eccac37a00f35810b457f24126b9a1e1a5d4656140838

SHA512
b28da7bd17e5d9b371246d36e972959f100b17d73f62c9127a81834c18b2ac9fddafea1c6c3c2376296797b039074851742c6ec9f301f72f6900fcca4c13d084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb0e1d26f5dc06a1a776a5a2f617a0ea

SHA1
a089979e875d5d0d7c1bea8b075346f9e2932940

SHA256
a6f18d61cf094223a85cd7ebe9f7a7eb659824bf0bedfdb5291110712dc4be65

SHA512
4c99fbd391d4098d775a35a767d1df45b9f5e8bd73ff9ba75ce4e499664c549467bb55930ecef04eef25db5c890d7cdccd9d4e75144d3a04e987359064337ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80ce6eed1c579a8616572caba9e2a587

SHA1
d828b5e9c6df7fe5b17dbda8f06639e0fcd0b452

SHA256
21629b1920ade11e881b8f6a8a75da2146bcf96e3e6959e2e2a128deb7530b4e

SHA512
98c3747d1540e4b3f39bc902566c709c3e0129af0acc0c06cd96b8ba7fb4326f640aa7563e5341b151696db796e5b5a87e900894757614d95a77df026258f7d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7560b5270740dd1ed32d4a0bee82e47f

SHA1
9dd91105ffc106d665802053efd58ff084e245ce

SHA256
7e96b543a37158a8822ee441bd70ad17816c8dc170239d9f9db97da7a7bb89b0

SHA512
3b7e5dc3843d294829a21d1234c7863f2ae38a44c0e93d191d1cf52a515078272e2aeadece92996953dfe215c47f6291da66aca6b48e27674d74d14c392c157f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
915a7fb25064a99017603bce76343bf7

SHA1
36891946c18425b6e46fca29b88ea82dedcdd219

SHA256
278b6e69da0d3be7acad105c62e5b471e1026d9edc7685cd768bf1dab7127cde

SHA512
6ab8cc7ac83173f3f0a3b7ff5b866cd87bfe9a3cf46de9e21089492dce7c0d4a637472a0aa0883a9fec0f4cca5767c71608ecceec20476254c2182b0f8010448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
16e6bf25f2a6812de9e6192f5697ed80

SHA1
8585eb63976b65e0cb5f719f0cbe6dd9da315d90

SHA256
63bb082c9b381943c48c4e46d8958b32ec2d163b0ba573ef4d1a2d553dbe3fc1

SHA512
7c6dea193d528c23b1f089ef4a476d4b6c4c1a9e54d15deb28ea0ec11af133fbd695ef8d25a6ab2302a58b52be2284b5774f2cd74c082f26fad30e9d0cef0b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
27ddd8e482e07a86dbfaac79bbdb52c0

SHA1
a5fcbdf15f34758b7e53f30aa86e48b7f9ddf7fb

SHA256
1455d1fc8644aa7e12413b215c69d3021ff298b2b985e71946218d8eea80dbeb

SHA512
766092110450a0ed8972747fff10230b40e5a35f64d39a9057826f7dc7e82f88b733cccbc0ef22f3e9ef0105ee98984c0e39db8d04fcb7c0033f97b8ebfba55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir456_1084453017\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\Aimbot MTA.exe

Filesize
3.3MB

MD5
232fbce8fc20397039e7115d6736c5f4

SHA1
ec3f9e41474a0e2597c5aec4be25158ccd2d4c68

SHA256
f9a036faaf0d8069cad71070e3327f2b6318e7026338c32eb46dc23c18ab1291

SHA512
b00d44a3fc0685b917a50008d66efd44c697692a7f02b2bc18f3c325642a8bb94d5966bd66d21fa045aa24d02a88600b3b66122e3a3f6309b3854f6820bc41de

Download Submit
memory/1264-36-0x000000001D2D0000-0x000000001D7F8000-memory.dmp

Filesize
5.2MB

Download
memory/1264-34-0x000000001CAD0000-0x000000001CB20000-memory.dmp

Filesize
320KB

Download
memory/1264-35-0x000000001CBE0000-0x000000001CC92000-memory.dmp

Filesize
712KB

Download
memory/1264-41-0x000000001CFE0000-0x000000001D01C000-memory.dmp

Filesize
240KB

Download
memory/1264-40-0x000000001CB80000-0x000000001CB92000-memory.dmp

Filesize
72KB

Download
memory/4292-6-0x00007FFC19BB0000-0x00007FFC1A672000-memory.dmp

Filesize
10.8MB

Download
memory/4292-18-0x00007FFC19BB0000-0x00007FFC1A672000-memory.dmp

Filesize
10.8MB

Download
memory/4292-5-0x0000000000550000-0x00000000008A6000-memory.dmp

Filesize
3.3MB

Download
memory/4292-4-0x00007FFC19BB3000-0x00007FFC19BB5000-memory.dmp

Filesize
8KB

Download