Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2023 19:33

General

  • Target

    https://github.com/kap-s/kaps-cheat/blob/main/kaps%20custom%20cheat.exe

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1020320395158634589/fwKZGT0bv91EipWabWtmJOsr2Vr-67JbIPEKZ7gJTHnPAc6pXPQwW4-D81rYUie2_Fvt

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 11 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kap-s/kaps-cheat/blob/main/kaps%20custom%20cheat.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaac8046f8,0x7ffaac804708,0x7ffaac804718
      2⤵
        PID:5088
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1748
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:2808
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
          2⤵
            PID:4692
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
            2⤵
              PID:4396
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
              2⤵
                PID:928
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                2⤵
                  PID:4992
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1696
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                  2⤵
                    PID:2768
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4612 /prefetch:8
                    2⤵
                      PID:4660
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5896 /prefetch:8
                      2⤵
                        PID:4956
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                        2⤵
                          PID:3956
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
                          2⤵
                            PID:1700
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                            2⤵
                              PID:3936
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                              2⤵
                                PID:3212
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1588
                              • C:\Users\Admin\Downloads\kaps custom cheat.exe
                                "C:\Users\Admin\Downloads\kaps custom cheat.exe"
                                2⤵
                                • Looks for VirtualBox Guest Additions in registry
                                • Looks for VMWare Tools registry key
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Maps connected drives based on registry
                                • Checks SCSI registry key(s)
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3624
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 3624 -s 2284
                                  3⤵
                                  • Program crash
                                  PID:4108
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4780 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2240
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3408
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2848
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -pss -s 424 -p 3624 -ip 3624
                                  1⤵
                                    PID:2968
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:1700
                                    • C:\Users\Admin\Downloads\kaps custom cheat.exe
                                      "C:\Users\Admin\Downloads\kaps custom cheat.exe"
                                      1⤵
                                      • Looks for VirtualBox Guest Additions in registry
                                      • Looks for VMWare Tools registry key
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Maps connected drives based on registry
                                      • Checks SCSI registry key(s)
                                      • Checks processor information in registry
                                      • Enumerates system info in registry
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4228
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 4228 -s 2168
                                        2⤵
                                        • Program crash
                                        PID:5052
                                    • C:\Windows\system32\WerFault.exe
                                      C:\Windows\system32\WerFault.exe -pss -s 524 -p 4228 -ip 4228
                                      1⤵
                                        PID:2260

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        048656f46cbeec431fc9211b492b0210

                                        SHA1

                                        472e28d665f77507f42fd6d4373d69efe4817fb6

                                        SHA256

                                        b70bedb089a51bc48a6d94fdc9a44db7310d8ab1d5f17c0592e438a42efff050

                                        SHA512

                                        ab8a2e36fb6fa2afb017f26c1e15249f4d76ae7fef0a5c6142d50b11072242d2fc74bec1ee0c7973a4ec3b3109c3e26a7b48b778343208644dcf806b74572c2c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                        Filesize

                                        1KB

                                        MD5

                                        c73340f3939af860a26df8a3bbb6c20a

                                        SHA1

                                        7f1a773d94328e0143be2e065599cef80d75d87c

                                        SHA256

                                        9b3fb0ca3851d9f064c9dbbd1089338d6c726599aed07c942b1a01a71b70de06

                                        SHA512

                                        bd03c4bf70cdd22b36096efe2bdf16161f5567d60db9b6cd29f8acc40974c3ceb203df514d829aeb4bd1ab08781970d5019be034adc4e8ba3915de30d179f529

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        111B

                                        MD5

                                        285252a2f6327d41eab203dc2f402c67

                                        SHA1

                                        acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                        SHA256

                                        5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                        SHA512

                                        11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        579B

                                        MD5

                                        46fa4f5f7344089589d117bd7599b3a9

                                        SHA1

                                        b6cc1fe19e527d4a372c97e4d195ed94eee40030

                                        SHA256

                                        223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

                                        SHA512

                                        6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        7d0292f806bb257aa0826e096064435e

                                        SHA1

                                        af66208aeb6162e9f990872947c911389f0e9923

                                        SHA256

                                        70239bbe12f0e8183bbaf43252fba6f4679dbe5779b3142e0ffcdd3babaa4481

                                        SHA512

                                        34bce704c59f35b6159ce02ee9f772aa34e0ba1e832f253cc38ae8db1a29356841f5b046474f6e42183a53c32c978eb83d48b58427e178d42d806fa4a2394684

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        d643830dfbbed2253b2ac24dbe2e3071

                                        SHA1

                                        922ff288cec1a8c9c5a9bda95e3708ebf829cc63

                                        SHA256

                                        165e5a4064a7c3eb1c048354181c02055fde21b861d22767a28c57ae3d81b839

                                        SHA512

                                        5453e76ff1db8979ac4940b0f70bb28513408f236db99cb5bc2f2ca11e9587f2c436882c704921d042790653a28536529ab7b9e013eda24af046bafefa04a403

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        e8962eace8c1425e5eb405269afc7278

                                        SHA1

                                        733d7809be32f455cb1f0a0b0b64c7619cc23cd2

                                        SHA256

                                        f74a4378432878182c30fd211187bfc6483878bfd0049394bc0e574de26fbded

                                        SHA512

                                        def0ab6a3dd74ba6dd7f000ec3a4567f0e0be2f804798f4e3a8e3148130971a35ec719b5a2fd8fb8a8cc81c6f5890129b8e7f5865eb9d622e647909c75521d2e

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                        Filesize

                                        24KB

                                        MD5

                                        b2cf4d0049ace39b74eef79a55294004

                                        SHA1

                                        d7c3ca52a379d2e60352e30270360f961bbb2ec0

                                        SHA256

                                        f09ecec25a5a6280529f91f243579b90dff160b1432b685455031fd1dc4c4f6f

                                        SHA512

                                        75dbba4e152552da37f9f7b5b8655c7034c070db3bdbc3c4ec20bc5e509c420df86f6f5ef0126ca21b3eb73fee1ca93d1b555896a51a95e806655de491dcbc16

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                        Filesize

                                        1KB

                                        MD5

                                        ef6dcf73b662d04c19032d5cf3c48bda

                                        SHA1

                                        f0d29638d2102f6901fa5b9de9485d65c7ab2192

                                        SHA256

                                        19b2e0e0a92bde6dd67c3237193465e3fbee2919ea566d71c7a322c202c256c3

                                        SHA512

                                        d4b5d219afcc0672ceaf454dbff8f4d5fd5cfde2de479404c7120d95461a7205fe13697affb3718f10b7dcc0cfc3f30a5bf61fedb1ac9e47a6c9c1a1ae79526a

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e6e5.TMP

                                        Filesize

                                        1KB

                                        MD5

                                        7b85bc3cdf69c6a344ae5bf4fff0d536

                                        SHA1

                                        6861070854f77cbdb0696e77b78769ebc977caa0

                                        SHA256

                                        ade48334c2e299f870085c53cff21529dff9b810df18ad8e8a78462c557186bc

                                        SHA512

                                        7295ed364050f9b82a9e4af92eef1e91637aa8453a25e5ad0649391aa09ad03a813e1176d6dc55f1ca937389bff241317cb9bdbadff5163941734ac35d05f5cf

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        5a4ae906f00670c1e8dd5298bba1167d

                                        SHA1

                                        aa7436d943788a4009eef95d52dc2ce1e128ea96

                                        SHA256

                                        4368b0137a314eec61e36709165f29b18ec293392d190a85d01ef4ddc24d6b32

                                        SHA512

                                        3bdad69ac0f09a3f546b569c2ff45e14b66ef46db70f5e882a11b7f4d9609159638a602b33e2289852905342131f37537beb89f4cbcaa4c262ca102695593377

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        74b5d8a17be68fb39353b3763af5c9c7

                                        SHA1

                                        78257c97e4fdae8f2e45ed73e3ced30a016757a5

                                        SHA256

                                        f6bcfa791a88a7ebe5f8031dee5ca9fe537f7ac26468283a7cc7c85367e5e4ed

                                        SHA512

                                        8b84b4f8d3c5e32d48ee83467a7aade7d72f4c971a15324f065d2d82bb97493b7071f2dc5c39961ff285e981295abd0f952bf63ee68feb84f603201479030439

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        f6dd6e3c0382c3e8cb01819f2bfaba21

                                        SHA1

                                        00486386f80bd8fb2dcffefa8cd6098629f16914

                                        SHA256

                                        b0b2a3a9afa241f77fe31e435e615428b6d74c1dae7454334e741ab81592d467

                                        SHA512

                                        538b974db99a6935cffcee9daafb133d5ea4b27102d386b2922db3220fc9cb23d85ee3ceb52d065794bdac090d1056539d5f446886b6f9c6c3cda4037e369c86

                                      • C:\Users\Admin\Downloads\Unconfirmed 164875.crdownload

                                        Filesize

                                        42KB

                                        MD5

                                        d11da20bc7c32d6b6d2dd66b4463e1f3

                                        SHA1

                                        9f8441ae3a4b31fbc6abdbe18f87ab9885394d2c

                                        SHA256

                                        e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672

                                        SHA512

                                        f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7

                                      • C:\Users\Admin\Downloads\kaps custom cheat.exe

                                        Filesize

                                        42KB

                                        MD5

                                        d11da20bc7c32d6b6d2dd66b4463e1f3

                                        SHA1

                                        9f8441ae3a4b31fbc6abdbe18f87ab9885394d2c

                                        SHA256

                                        e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672

                                        SHA512

                                        f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7

                                      • C:\Users\Admin\Downloads\kaps custom cheat.exe

                                        Filesize

                                        42KB

                                        MD5

                                        d11da20bc7c32d6b6d2dd66b4463e1f3

                                        SHA1

                                        9f8441ae3a4b31fbc6abdbe18f87ab9885394d2c

                                        SHA256

                                        e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672

                                        SHA512

                                        f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7

                                      • C:\Users\Admin\Downloads\kaps custom cheat.exe

                                        Filesize

                                        42KB

                                        MD5

                                        d11da20bc7c32d6b6d2dd66b4463e1f3

                                        SHA1

                                        9f8441ae3a4b31fbc6abdbe18f87ab9885394d2c

                                        SHA256

                                        e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672

                                        SHA512

                                        f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7

                                      • memory/3624-195-0x00007FFAA9590000-0x00007FFAAA051000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/3624-191-0x00007FFAA9590000-0x00007FFAAA051000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/3624-190-0x0000000000A10000-0x0000000000A20000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/4228-223-0x00007FFAA8CC0000-0x00007FFAA9781000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/4228-245-0x00007FFAA8CC0000-0x00007FFAA9781000-memory.dmp

                                        Filesize

                                        10.8MB