quasar | hxxps://cdn[.]discordapp[.]com/attachments/1302822452942082088/1322422679780982846/Aimbot_MTA[.]zip?ex=677ffad8&is=677ea958&hm=865823792051ab2172f22b645478c253ccd3541431f2a6cbd6053af78b9e0077&

Analysis

max time kernel
74s
max time network
77s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1302822452942082088/1322422679780982846/Aimbot_MTA.zip?ex=677ffad8&is=677ea958&hm=865823792051ab2172f22b645478c253ccd3541431f2a6cbd6053af78b9e0077&

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4420-100-0x0000000000540000-0x0000000000896000-memory.dmp	family_quasar
behavioral1/files/0x001f00000002aae1-104.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2100	WindowsUpdate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Aimbot MTA.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3716	schtasks.exe
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
4772	msedge.exe
4772	msedge.exe
1616	msedge.exe
1616	msedge.exe
4684	msedge.exe
4684	msedge.exe
4752	identity_helper.exe
4752	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	Aimbot MTA.exe
Token: SeDebugPrivilege	2100	WindowsUpdate.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1292	4772	msedge.exe	77
PID 4772 wrote to memory of 1292	4772	msedge.exe	77
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3540	4772	msedge.exe	78
PID 4772 wrote to memory of 3896	4772	msedge.exe	79
PID 4772 wrote to memory of 3896	4772	msedge.exe	79
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80
PID 4772 wrote to memory of 1352	4772	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1302822452942082088/1322422679780982846/Aimbot_MTA.zip?ex=677ffad8&is=677ea958&hm=865823792051ab2172f22b645478c253ccd3541431f2a6cbd6053af78b9e0077&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18193525944298674314,3798550434352259485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2128

C:\Users\Admin\Downloads\Aimbot MTA.exe
"C:\Users\Admin\Downloads\Aimbot MTA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3716
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2100
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
256B

MD5
5c3eb131e25d5c24fe6a5574ce36463c

SHA1
ab9bcad034ebf1357d309865947585d9442027e4

SHA256
7d625ddb932016d5d016641a2c70e26042477840ea13a793fe52c890416f1417

SHA512
5eee06fcb159f28e6dc3f423a1177158dad6c411231aa011c84a36c82cf8537f78793463728d82df8fb5d26ef96d2b04dfcf2f226f3cb4963061a7e40df136f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3007e65f60dbf36a1257b91a5a4f15f6

SHA1
c6ec538081e19ff1af372b1fe827db3f86ea8711

SHA256
8dcaacfc61e95b546c8edc6673df11aa6a38530eca2ad62027b8456f4023b2db

SHA512
1437139a28c1d73a027265d283a0794538abc37eba06bd50f0a40aa17fc2f72ecee8f6ed450be2451bc36cc926951ef12fc9f0bd5709f46460ced0b295ef440d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac450bf0cd9aaddf1dfbd0bd1bf616b7

SHA1
f6ab3e4565e2ccb16f185766dff17916f4ab97ea

SHA256
09dafe3eac75b833116903a3926ea63a661bf62b924f30cffb70d9ffeccb1a6d

SHA512
5716ddb426190ced8dd8d54e7db8ec354c22b9382b6ed95f632c6068e1b211201a417f7eed8816cba01b1182d274e125e81dab794289b5b6fa48075cd0ea7fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f1d834aaa019f3d47f3ad275d9a851e

SHA1
ecdb182a093df39053193d6cede9352ff7e3cb82

SHA256
ce2ee82e5e7885f91b4a233bd66f2ffbe7712658abe9a56708370c561b6e6209

SHA512
684e0c5f80cb917329ef9ac8e627ddf345fcd771e8b8e1290f162c32d53a68b75dbd16b5169589b78cec7ea6ce0d5fa48f6ee43bffc524f1e4cf2369ed99def1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3fe5c5af75ee4e8c7e260db7158246f

SHA1
b5d9d27957a02701279a8418322280bb2fb7108d

SHA256
70531f5ca737fb6e602fa56d89a779fbf93644ce47ec1cc23bae477895bab48e

SHA512
9542bfe8f4106b08d56406519bfaf4363adeb923f9f3186de618995671eca42297e3bd026326e574b486f04eba4b7b3b4a9f25070d7b3d4ddfb23079ec3f0b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
512ba0cf1444c1edb7b505e68542cd0a

SHA1
1af02bc64e55167ca4312d97a143532bf5096316

SHA256
074397a09dce6b259abc50d103baefeacb4aa2c5fa19b149c0096d4d9d510667

SHA512
80839dbfdded3f7e869d2a7665c75a9704ca9f74bb1ff91db2a6f142cf4715938c0f8498f8d0b50d6ea9cc916a2f1351c0543b0e30f3e8ae12419574e6807c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45b657520ff50ac3fbed3fc4a575ad68

SHA1
0298b4393601732b06d235c0ccf36c0a9b78139d

SHA256
c66685ca58199ddc0a6abcd7a5c797c69ac383bf9524e6ab0363f1a2cee5672f

SHA512
f6123ee26dd751dfeff8ab47a31e2c583bc83714261086038950aa3723040a81883e00abcf8ccb7d872fc3ea85437e99eb56d6696e7267eb4a65e808c540d8ea

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

Filesize
3.3MB

MD5
232fbce8fc20397039e7115d6736c5f4

SHA1
ec3f9e41474a0e2597c5aec4be25158ccd2d4c68

SHA256
f9a036faaf0d8069cad71070e3327f2b6318e7026338c32eb46dc23c18ab1291

SHA512
b00d44a3fc0685b917a50008d66efd44c697692a7f02b2bc18f3c325642a8bb94d5966bd66d21fa045aa24d02a88600b3b66122e3a3f6309b3854f6820bc41de

Download Submit
C:\Users\Admin\Downloads\Aimbot MTA.zip

Filesize
1.1MB

MD5
daa57cdeeab30823f89e5349b832a817

SHA1
feb679856d7a4a04d5e1a26e741dd6deb5ee0e88

SHA256
129c9712c6553669392a034fc14842a4045df98bb8abce95a6b74ecf9760a4de

SHA512
1403f94c54374a91e8d9e29b594b490ff49c16b4bd404148157e7b2a7eb57beced3459e612045433e3b4a0f78aca93d34fe2f4c198fc5669dee85c139273f376

Download Submit
C:\Users\Admin\Downloads\Aimbot MTA.zip:Zone.Identifier

Filesize
222B

MD5
14334f1349878d4d22f1b7afff05c144

SHA1
92063be6f406a93c6af7ffd698e7191d21bedbcb

SHA256
1eebf5c33b9e820e981850b5da07853170ae09daea75668a8bfbaae149b7bcff

SHA512
6ffa3fb94e4f566f9c601cd54e0bc1d8085d85f433857371081d3d7f41e3d06d3fa33293868c31cd40ffb2ff06c5db656823d18fc7c5a08144a7c1e61056cdd7

Download Submit
memory/2100-107-0x000000001C050000-0x000000001C0A0000-memory.dmp

Filesize
320KB

Download
memory/2100-108-0x000000001C160000-0x000000001C212000-memory.dmp

Filesize
712KB

Download
memory/2100-113-0x000000001CAA0000-0x000000001CFC8000-memory.dmp

Filesize
5.2MB

Download
memory/4420-100-0x0000000000540000-0x0000000000896000-memory.dmp

Filesize
3.3MB

Download