quasar | 129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de

Analysis

max time kernel
99s
max time network
97s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimbot MTA.zip
Size

1.1MB
MD5

daa57cdeeab30823f89e5349b832a817
SHA1

feb679856d7a4a04d5e1a26e741dd6deb5ee0e88
SHA256

129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de
SHA512

1403f94c54374a91e8d9e29b594b490ff49c16b4bd404148157e7b2a7eb57beced3459e612045433e3b4a0f78aca93d34fe2f4c198fc5669dee85c139273f376
SSDEEP

24576:3bPC4RI32t9KyRPCKNJrYjWj1JkpsnWvWjI7mBPJiOMSeFAPNuHWE:rKsIm3K8voCApsnBnFJirjSU2E

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00240000000461b4-3.dat	family_quasar
behavioral1/memory/116-5-0x0000000000FA0000-0x00000000012F6000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
116	Aimbot MTA.exe
2548	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801974457635641"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2964	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2460	7zFM.exe
Token: 35	2460	7zFM.exe
Token: SeSecurityPrivilege	2460	7zFM.exe
Token: SeDebugPrivilege	116	Aimbot MTA.exe
Token: SeDebugPrivilege	2548	WindowsUpdate.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2460	7zFM.exe
2460	7zFM.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2964	116	Aimbot MTA.exe	93
PID 116 wrote to memory of 2964	116	Aimbot MTA.exe	93
PID 116 wrote to memory of 2548	116	Aimbot MTA.exe	95
PID 116 wrote to memory of 2548	116	Aimbot MTA.exe	95
PID 1304 wrote to memory of 3000	1304	chrome.exe	97
PID 1304 wrote to memory of 3000	1304	chrome.exe	97
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 3048	1304	chrome.exe	98
PID 1304 wrote to memory of 4704	1304	chrome.exe	99
PID 1304 wrote to memory of 4704	1304	chrome.exe	99
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100
PID 1304 wrote to memory of 5036	1304	chrome.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aimbot MTA.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Users\Admin\Desktop\Aimbot MTA.exe
"C:\Users\Admin\Desktop\Aimbot MTA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2964
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2548
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff89203cc40,0x7ff89203cc4c,0x7ff89203cc58
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5492,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5432,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5300 /prefetch:2
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5160,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5140,i,7116800343489494171,7085799090605487231,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
134feea64f2868f86e4660f3ed034fbe

SHA1
d8979e84e448f41ee603926867ba532b21ee61b5

SHA256
12226cc4585754670c77d947e9d2f9dc730f7e694f8bc397f2447fd9fee85781

SHA512
9e70fdf978597cb8c445fa3dfef8dafe2d0f401e3de284e6385b117675e4e6f9f2b1d5799f8c5d25fbed34cf1c03fb20b843ee7e112d89cfa55551c1ca830497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
5d31c68b634e028d47bb1b402722271d

SHA1
606f4634d4ee0457e2896fe02beab253ec7fed19

SHA256
d8ae1b0091005d03e4a9b8200aa90259ba2ba2f54a07ee6628bd4d94af361d5e

SHA512
aae698a6e9304a3b5e923b8be3bacb8834b8c43f25d2fa3d108fdf90cc4fc18ba6fc078ade3c0d320ebb16443800608ae8a8284862043f7fce0569caa16f9571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
88459205532cd5afb96dcfbb9d0d1c5e

SHA1
2be80cb0d2aad4e3bb0e02d579f9e135399c5641

SHA256
2f094aa99e8c6a7538328118701e7353f061e96ddf88dd195de4faf36c98ec0c

SHA512
6d07d5f1a97ff5e35effe8ca8d50b77b004ccc60f3bf778a37effee96b00c8f79a13e14c0c7c7e2af60cd07a3920596dee74c8dca9b525f357ae97df43be7c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
e21244d61bbf2c80b379a68e0c9068ef

SHA1
49c59d8a5e9bf5f1e9282179bd47a137c5cfc325

SHA256
8108bbb22e994b0b9c90166e94be0a5cd818e9da6b7c19145d5230c7846a0cce

SHA512
9743818f72b37c93b54e8443b1a24c236e4f1a78faeb87f395a4390cd190038bda2921ce82026cb632096bef3024bad051c5679bbedd9e429b92b48098b5f806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
95210a2952cdf2d24bfb8b88f43c75e1

SHA1
d3c1ea4ac5924b4f60be19a63002ad1ce830ad61

SHA256
2fcd45cd93a67b2062b6453f4da70ed6bd2194b00b391d43286cabaf1792ec6b

SHA512
ed981587e815906bf3068e4058061796f75a52a7c5468a5b7b4746aba40c118666746ddf87fd5c8df71690cbf61e33220b1c139b9199e31778d63e2b19ed7bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e03149fa3a0c4c83cf28e2adbd954ac0

SHA1
0c053660147a5c47880f71c5849854ff73e5a33a

SHA256
0f99052dcd4a9096ad9281f82506feb4b5528f8eef6a6902d641ef5085ea3842

SHA512
3d641ba6f4e1ac2536ddc96e20ffeda66ed4edb30b9b0cd6da3255676a7b4cea164e23c21624e7ffdb6157bb80d8da18ef4fa01f28ecb4900a8af5a9cc7f1278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
731834251e72bb52ae258ee3d7dbd90f

SHA1
558338d5824e0f3b455dfdfbf514748c36d45ae9

SHA256
deb02ff342a4fd4212bd245b0d52ac2a48572fc114b3e72a0a27cc4fc0b2deb4

SHA512
8bc848ba0f2ba9fa87a24031dcd2014850c9512b40d570f6bb53b563cf27b0e3f7fa71f4464cb750e07d49b026886010410bd848c114f64cdbe6bc20d59c6566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f80f8482d6bbf59532e2636336c6673c

SHA1
ded520734658bdc196d68549f892fc597bfd05c0

SHA256
a1ae64a992dce1ab90d6709bfee38705151fc2f4a0c9ee25edb1bd5749bcac10

SHA512
9af408b9b7a3d2ff49b72fbf843ea8f295a7c8c07bc4aa9c2446099a0cbdd7e53568542db569dfcf769db04ecaf402022772fbccc04df9f49cef59eb3049d825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4fdf09762e3aa797316e4e182925c851

SHA1
be571c2aa9da26c28d09f9f143c3750ed66186cd

SHA256
e19e094d7f9cad0467f3fc71bcf5fbdfcec1610964d22b18f526a0670f2bee8c

SHA512
79582c43b7208392e62da2ab28a32e590a3918fe1a604c3e9e86be6530d9dfed84a42a3d9b8a303b78abe55bf5ddba3de014149d77d8399eb84681f7f651dbc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
afd5542fb30387166eaeb3d65fe28773

SHA1
544017df6d8ce55fb85d9c9419fd69c785fda6d4

SHA256
4c289921c557ff5366755392773cd9a6d7510c19bc6022638370e3556fac52f3

SHA512
3cbbc1564be9d25f87cf28fd5e4e3a11f3dc03a64f3db59df3ba170a7f0ce90fe2e0124f23cbc3fd634fe18e39d62586c7f8a62f15d0a68a95a1ffe2a1786416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e277dae94738a19cefb27d056c4e9e6a

SHA1
1ba591d23fa07e88998db42c7d6a7682f64bba1a

SHA256
a327773ca34561d305a81016a03f08663eb59a7934789cd69a9c4ae4b6e20528

SHA512
67587bc3f9ce408813d4c82cc9c46161273d06fd8ed282765a6dd4d721b9ad891597d2756fc5ea70feae00155ea97590f7d4dec66e0694f4b3e65c76a3737d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
01bffc98d73ed4010fd1a78ce42c370c

SHA1
c96fbeb9f33180fa12eedafd59830cee225a3d4e

SHA256
38c627f7a1df036fd1617a2cea32033f5edf0ec81cbe472283b4c3f827f192da

SHA512
b2051870ffbaf9611e4a601c84ddb447738e1c3eb5334c190f60ae64e61e714a1e2ce12a156e47cd30f2d2a64d62ad24ba928c3ba3e175e7ae510a3e2692971e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
12a6ee7b872f51ffd0ce45908b94d49d

SHA1
83904412d70c2f9f22eeddadde3338e2ccf99eb2

SHA256
f11e8c8d58d52b83591e5c57c5edc090398d0af5fe27f5e389f1d6f12068a36f

SHA512
44962e287ebc7c8624924413ed403f2936eea45b88b30c97f80790e3293c5d966add3e59dcd32d0ffe79b10811710a9a206dc4559eb8b0e601b51938940ef028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
14937e7ccc2e8b49dae154d065cb7134

SHA1
c7411ea8db6438228715bab6baa5da660e3f9987

SHA256
a5979bad858a1077daacdd4f2c91f06236cb01b4027da11a5cfc5a84bbe57975

SHA512
b3370119abbf278944169134627574d9ceaac3574869240b18a95ecb5132f7ce9ca323ed054f04bf34f4d1807a34ec1b5b5049250c16dea6a98efcbfc95b1434

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1304_1597475443\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\Aimbot MTA.exe

Filesize
3.3MB

MD5
232fbce8fc20397039e7115d6736c5f4

SHA1
ec3f9e41474a0e2597c5aec4be25158ccd2d4c68

SHA256
f9a036faaf0d8069cad71070e3327f2b6318e7026338c32eb46dc23c18ab1291

SHA512
b00d44a3fc0685b917a50008d66efd44c697692a7f02b2bc18f3c325642a8bb94d5966bd66d21fa045aa24d02a88600b3b66122e3a3f6309b3854f6820bc41de

Download Submit
memory/116-9-0x00007FF895D80000-0x00007FF896842000-memory.dmp

Filesize
10.8MB

Download
memory/116-6-0x00007FF895D80000-0x00007FF896842000-memory.dmp

Filesize
10.8MB

Download
memory/116-5-0x0000000000FA0000-0x00000000012F6000-memory.dmp

Filesize
3.3MB

Download
memory/116-4-0x00007FF895D83000-0x00007FF895D85000-memory.dmp

Filesize
8KB

Download
memory/2548-25-0x000000001E350000-0x000000001E402000-memory.dmp

Filesize
712KB

Download
memory/2548-24-0x000000001E240000-0x000000001E290000-memory.dmp

Filesize
320KB

Download
memory/2548-38-0x000000001E310000-0x000000001E322000-memory.dmp

Filesize
72KB

Download
memory/2548-39-0x000000001EF90000-0x000000001EFCC000-memory.dmp

Filesize
240KB

Download
memory/2548-40-0x000000001F500000-0x000000001FA28000-memory.dmp

Filesize
5.2MB

Download