njrat | hxxps://disk[.]yandex[.]ru/d/f8BWX4x3KHjTYA

Resubmissions

22-08-2023 20:18

230822-y3bwksgf7w 10

22-08-2023 20:14

230822-y1c1vsgf61 10

22-08-2023 20:09

230822-yxa24agf6s 1

Analysis

max time kernel
92s
max time network
97s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/f8BWX4x3KHjTYA

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

6.tcp.eu.ngrok.io:13699

Mutex

a2b359686b88b829e368bf9d7166f810

Attributes

reg_key
a2b359686b88b829e368bf9d7166f810
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3280	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2b359686b88b829e368bf9d7166f810.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2b359686b88b829e368bf9d7166f810.exe	Server.exe

Executes dropped EXE 3 IoCs

pid	Process
3820	чит для ксго.exe
4036	Server.exe
4176	чит для ксго.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	3556	WerFault.exe	105

Kills process with taskkill 1 IoCs

evasion

pid	Process
1972	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133372089053382676"	chrome.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	чит для ксго.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	чит для ксго.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3556	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
1836	mspaint.exe
1836	mspaint.exe
3176	mspaint.exe
3176	mspaint.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe
4036	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
1568	7zG.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe
5368	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1836	mspaint.exe
3176	mspaint.exe
3556	PaintStudio.View.exe
3556	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4504	4524	chrome.exe	68
PID 4524 wrote to memory of 4504	4524	chrome.exe	68
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 3120	4524	chrome.exe	74
PID 4524 wrote to memory of 4004	4524	chrome.exe	70
PID 4524 wrote to memory of 4004	4524	chrome.exe	70
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73
PID 4524 wrote to memory of 3360	4524	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/f8BWX4x3KHjTYA
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffda7bb9758,0x7ffda7bb9768,0x7ffda7bb9778
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1764,i,5013297180514425345,15795610543490214417,131072 /prefetch:8
  2⤵
  PID:4232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3752

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
1⤵
PID:1180

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
1⤵
PID:2384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4246:82:7zEvent16168
1⤵
- Suspicious use of FindShellTrayWindow
PID:1568

C:\Users\Admin\Desktop\чит для ксго.exe
"C:\Users\Admin\Desktop\чит для ксго.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3820
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Ñêðèíøîò 22-08-2023 011209.jpg" /ForceBootstrapPaint3D
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4036
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1972

C:\Users\Admin\Desktop\чит для ксго.exe
"C:\Users\Admin\Desktop\чит для ксго.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4176
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Ñêðèíøîò 22-08-2023 011209.jpg" /ForceBootstrapPaint3D
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3176

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3556 -s 4068
  2⤵
  - Program crash
  PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:5192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
6ce03b7a424f29b1eda98238859b0ec3

SHA1
a7bca1da25c31b3552cfc30f18da7dee62a3c568

SHA256
5b4e085305d0d86a42bccf2710ab75e2a5feabdb6fbdd3a90104e4de3d98e99a

SHA512
e175a950edbbff9f994febbc15d09592c218809950fb35beb34a4c5e80073d66f0746d6bdae70bdc25a7db4b76f704d13fe9967f8c8ff8aed409ea3be56d2c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
548383c14461892d5786e487460f35bb

SHA1
4d263edfed2744ef7ee09a77640894bd7916e9f6

SHA256
cb17fceee1e9640ec6011594111508ec7ca430af0e16106fc531f86b49bf8b0e

SHA512
0b3c591b22e6701038cc99ae00445773fa614768ec2fe5c362a65e6c42887604b371388912dd71c39ab49580c6413d4ec3e5b9d5f6cb49a92c99800ea7fef44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
eb2424616d6945b0420ea50de32c5274

SHA1
4d7bfc6e7fbac5f1799297f0a0e3c0f806614358

SHA256
900b76fccf593cbaa97cd0bd9d1ccc04c057ab8b30fe6a37e3912752f8e11523

SHA512
9326cbc8370a829c266edac3a3c343cbc59ef62008ab7a7a4aec3b2caebbc11bf645a2e09f7fb0f7700709dd7e86aec7e5fc9aabe227e3193e6bbc6e0775b048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
58KB

MD5
1a20835382afa7b35d8d7715dca7f7e6

SHA1
f6afd2579415b151d3a8b05f6b5bfe23fd4e48a6

SHA256
87b42b461db0ef5526ada66617d413aeea35ac759d9981fae533896862310d59

SHA512
fdb755d5d72b9d9fafec7470afed743ae790290a414e28eefcb82a446205cd3f23bc8b8ce91a2f8bc7cde41e5b0bafe8a76bef3fa54c01f27520e6f44b180609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
39fed0a277672b61a37c48cf83124105

SHA1
1762fab9880e796e501e9659d08cff4f4237b9ab

SHA256
93be3d1b9ac4e3e8814095bbcd73f17138c1bddc1d81e066ffca76bfa21fc847

SHA512
c3ccceb8c4e51be70c0516bd2d0c35dbeb1cc8095787db2dc74a7d6d176dd8f3986b5ca6f5adb1615699511ea53d0adc2957eb68abdd2c3c18006dd7d81b34ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
776d9d9bb24536c73c03c704c768f09a

SHA1
8de584fa3759622a2c4e3ce5e15daac16655c3e4

SHA256
5b59b130335d9e3f08895780243282c39b4139bce28933033f0c0a773ab45c2b

SHA512
619d6c17a8c8e958b7a5ebab827ab67ac89ae166d8527d3d5a8fc560b37577370869574ea1372b2268a0ecd73cae32658851d7ca55ee4ce64f24cd4860036464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d9518516703308fdb2beb30ea329053a

SHA1
1808227a8941ab6ece7be9cf7c41ea479cd5a379

SHA256
edf913b5052b0c87f632d142a0ec75e749c731f7430f77c37ee4c83b5fb03585

SHA512
94ed0948f40044e301b854c110b8b3c26ee04031d5b710b42bf0dea9a20fec71831adb8256db684547edb0bb4d207e692765c16ceb598e348b11ccee7a8ebe08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bd8220053cfcdb55df0623d919623da1

SHA1
521ec8f508cf7e74c2150b9b78c63f1d1ad3127e

SHA256
182207b1a0bbb589ed7daba43f1db01f3ea82018795adb58c3cc4b1dcab04cde

SHA512
035bb41842af2f588f71d17eb00bc6f4e77b8c8ce3c01381cdd7cb7323324d153c79cc9128535f9e3593820efe9694350ec1a5c48ea3a72a6f000189ac9c4688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9601810918908fe89f704a6596b0923

SHA1
0ab6d6ec58d75f9065a724c1482ca02279129274

SHA256
a7620361e518d31658cecbd14957880c943b63c21648f5e78e5f52df0fa9f4fa

SHA512
6d8cb4961aa6ad5e8800a5c0ba7533b88e5d032da63be783f0b29a63184c11f5a68d2dd2ec3a6d983d9c9e6f3f75b4d4c7517083077fac0bd963ce9937b0087b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bec728bf818c9ace93c59d941c0e4eee

SHA1
52c2e5750346c0067e543eda9e07d860e88b87e2

SHA256
68f4a261c29bbba5f993b3d4b3f30929356b21df2fbc72a04f94606056ec88a9

SHA512
73d630c4c2085757d571918ae15a473de5b702faa6ffd47906f9a60752196964577f871ffe37438fc590962f89fcdb6bc6c951a784843c051b09391a41947ebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
239bf68897e4ebf366c8658338900382

SHA1
8152008a6da8f5f1a3c3693babb09d6ba848c91c

SHA256
24d36d70c9a9f17016a4e2aca7888457a967bf5d0481b2a4c60f0a8a1ae7b563

SHA512
862e163867113fc1cd8121e741e271d01ad36cfaa50b9082703e76ae026281ab660e3885d52d9e67c2f179bd635ee8c00b3740ebd04303b8e96e0a08d5b83f3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eb7ebe64b08324284082ab0fb9e26b3b

SHA1
1704436f3b250e692ccef2748cf465ff8ea0e3c4

SHA256
5fcf0baa57cb7a32c4682660aa93eff95c3011a4aae2ba867d7dda26db6f54a6

SHA512
6124c76b395f0f8bbf22fd2fb38ed91016ce2097204462882a3627793954bb37ebb2e3d2339d55db86cf824c741bb7087c98e99b8d280d837f5ce7ede4d9b1ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
25733e168366c5ef7172867aafb22a17

SHA1
10c3895cb70f976cb4941165ab4b0c0308a16b47

SHA256
499354dcdabe3becc4375ac70c5a786048cbd796f665ec2f311e8d57c2179c45

SHA512
77f46798b53eef24caa206ca404fe693cc1d970bb3c3441c459964980b1d36e5f41ef2be75f738fd6e36f899bcdfe24c1a3afac205673d7d803df8b1c2761922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
263B

MD5
16b9a764872356e213eed57d4a65a81a

SHA1
7812b9c3abcfe7ce5aee86b45cbf626ba8f1567e

SHA256
7c7fdc9b1cb7383e346c914770dca8391430f02f80d3c3f7565150e410447439

SHA512
9f9022539c022474d5c419d542680b5c3b4056fb8356d93be860f0ae65d8837756bdc13f13197702655dd302def03334e5b29255b1f55d2bba2cdfbdc2bde917

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
e92641a49515c95bd984de764e1f67c8

SHA1
f06d36cee94d42b165a71cef9f389b252f5a0932

SHA256
206c72f8772ca39e0f543254138210798365009f21a74a7f657558cb47aa312b

SHA512
282b2c5ef5174894be16f27765b5da07e6835de56ac00660a2a7ef65ecbaae8e4e442e35cd3a37a0009b2eb2b95eca1c8f4f9ab7ecff97bc593a0af53baa4c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
e92641a49515c95bd984de764e1f67c8

SHA1
f06d36cee94d42b165a71cef9f389b252f5a0932

SHA256
206c72f8772ca39e0f543254138210798365009f21a74a7f657558cb47aa312b

SHA512
282b2c5ef5174894be16f27765b5da07e6835de56ac00660a2a7ef65ecbaae8e4e442e35cd3a37a0009b2eb2b95eca1c8f4f9ab7ecff97bc593a0af53baa4c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ñêðèíøîò 22-08-2023 011209.jpg

Filesize
69KB

MD5
58841a8c9445c47c6e99512c1d837690

SHA1
ca92d50d35d2c3881c4ba80401da98deb74b03ac

SHA256
a0a80be050efab233cdd94cf6d1207fe82db9496eb3ecc69eb76dbc8ea84568a

SHA512
065f98a7d49524bf58875243d17c1027220d828f2c2572440db0e8a48077c84ca7e25d1b8f808f727ee9ad60fdf4f6882ce2c913231a4c14a9584f24335b34d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ñêðèíøîò 22-08-2023 011209.jpg

Filesize
69KB

MD5
58841a8c9445c47c6e99512c1d837690

SHA1
ca92d50d35d2c3881c4ba80401da98deb74b03ac

SHA256
a0a80be050efab233cdd94cf6d1207fe82db9496eb3ecc69eb76dbc8ea84568a

SHA512
065f98a7d49524bf58875243d17c1027220d828f2c2572440db0e8a48077c84ca7e25d1b8f808f727ee9ad60fdf4f6882ce2c913231a4c14a9584f24335b34d1

Download Submit
C:\Users\Admin\Desktop\чит для ксго.exe

Filesize
175KB

MD5
879a97febaa1a299a3f7b87222616b40

SHA1
0c3c025348cffcc4933bdeffcf82e79149bdd58e

SHA256
0a75a17e36522924b443f7e30857108d342e73b9797e80a8a3a143bbd873ec09

SHA512
2ff7e78f9c6e51822529adaa304b22a781159ad5ae86cfc26e343fbc43bf746af0b4c9fafb84d737c12fac347cf1641c6ec0ca3f14e79ac4c47b1571cf165b4f

Download Submit
C:\Users\Admin\Desktop\чит для ксго.exe

Filesize
175KB

MD5
879a97febaa1a299a3f7b87222616b40

SHA1
0c3c025348cffcc4933bdeffcf82e79149bdd58e

SHA256
0a75a17e36522924b443f7e30857108d342e73b9797e80a8a3a143bbd873ec09

SHA512
2ff7e78f9c6e51822529adaa304b22a781159ad5ae86cfc26e343fbc43bf746af0b4c9fafb84d737c12fac347cf1641c6ec0ca3f14e79ac4c47b1571cf165b4f

Download Submit
C:\Users\Admin\Desktop\чит для ксго.exe

Filesize
175KB

MD5
879a97febaa1a299a3f7b87222616b40

SHA1
0c3c025348cffcc4933bdeffcf82e79149bdd58e

SHA256
0a75a17e36522924b443f7e30857108d342e73b9797e80a8a3a143bbd873ec09

SHA512
2ff7e78f9c6e51822529adaa304b22a781159ad5ae86cfc26e343fbc43bf746af0b4c9fafb84d737c12fac347cf1641c6ec0ca3f14e79ac4c47b1571cf165b4f

Download Submit
C:\Users\Admin\Desktop\чит для ксго.rar

Filesize
147KB

MD5
59e36577ed49cf6d68aedf7fc0ae4e40

SHA1
bc78b3963a0477feac07e4394d6504fc6ab3c706

SHA256
0d92a4a55567764cfef918cbbc4435fdea01d36c5de259a94d45a66b566220b1

SHA512
19d93ed0884ac42e50692b693a197a97f982d5cf8078f454a5d56e2ce62a0ed9d15a679fe37f24cc5afd414b144c2ddc22e69a96dbe6ddd9260bd8d5c20a76e0

Download Submit
memory/3820-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-427-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/4036-426-0x0000000071DC0000-0x0000000072370000-memory.dmp

Filesize
5.7MB

Download
memory/4036-425-0x0000000071DC0000-0x0000000072370000-memory.dmp

Filesize
5.7MB

Download
memory/4036-498-0x0000000071DC0000-0x0000000072370000-memory.dmp

Filesize
5.7MB

Download
memory/4036-504-0x0000000071DC0000-0x0000000072370000-memory.dmp

Filesize
5.7MB

Download
memory/4036-505-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/4036-511-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/4176-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download