njrat | hxxps://drive[.]google[.]com/file/d/1GlP7oZxLvX2FfOYcBXipbE6wG6OH229K/view?usp=sharing

Analysis

max time kernel
190s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1GlP7oZxLvX2FfOYcBXipbE6wG6OH229K/view?usp=sharing

Score

10^/10

njrat umbral hacked evasion persistence stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

having-jackson.gl.at.ply.gg:56522

Mutex

7c148ac38012fc3caa04b1bbe75feba0

Attributes

reg_key
7c148ac38012fc3caa04b1bbe75feba0
splitter
|'|'|

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023136-352.dat	family_umbral
behavioral1/memory/4544-359-0x000001BA0B230000-0x000001BA0B270000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5776	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	KiwiX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	KiwiX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Inj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	KiwiX.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe

Executes dropped EXE 10 IoCs

pid	Process
5168	KiwiX.exe
1788	Inj.exe
4316	KiwiX.exe
3476	Inj.exe
1388	Inj.exe
4544	tmp7EFF.tmp.exe
2568	KiwiX.exe
5828	Inj.exe
5824	Inj.exe
5908	Inj.exe

Loads dropped DLL 21 IoCs

pid	Process
5168	KiwiX.exe
5168	KiwiX.exe
5168	KiwiX.exe
5168	KiwiX.exe
5168	KiwiX.exe
5168	KiwiX.exe
5168	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\Desktop\\KiwiX(V5)\\Inj.exe\" .."	Inj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\Desktop\\KiwiX(V5)\\Inj.exe\" .."	Inj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	KiwiX.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1500	msedge.exe
1500	msedge.exe
1632	identity_helper.exe
1632	identity_helper.exe
5148	msedge.exe
5148	msedge.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe
1788	Inj.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5284	7zFM.exe
5344	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5284	7zFM.exe
Token: 35	5284	7zFM.exe
Token: SeSecurityPrivilege	5284	7zFM.exe
Token: SeDebugPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: SeDebugPrivilege	4544	tmp7EFF.tmp.exe
Token: SeIncreaseQuotaPrivilege	6064	wmic.exe
Token: SeSecurityPrivilege	6064	wmic.exe
Token: SeTakeOwnershipPrivilege	6064	wmic.exe
Token: SeLoadDriverPrivilege	6064	wmic.exe
Token: SeSystemProfilePrivilege	6064	wmic.exe
Token: SeSystemtimePrivilege	6064	wmic.exe
Token: SeProfSingleProcessPrivilege	6064	wmic.exe
Token: SeIncBasePriorityPrivilege	6064	wmic.exe
Token: SeCreatePagefilePrivilege	6064	wmic.exe
Token: SeBackupPrivilege	6064	wmic.exe
Token: SeRestorePrivilege	6064	wmic.exe
Token: SeShutdownPrivilege	6064	wmic.exe
Token: SeDebugPrivilege	6064	wmic.exe
Token: SeSystemEnvironmentPrivilege	6064	wmic.exe
Token: SeRemoteShutdownPrivilege	6064	wmic.exe
Token: SeUndockPrivilege	6064	wmic.exe
Token: SeManageVolumePrivilege	6064	wmic.exe
Token: 33	6064	wmic.exe
Token: 34	6064	wmic.exe
Token: 35	6064	wmic.exe
Token: 36	6064	wmic.exe
Token: SeIncreaseQuotaPrivilege	6064	wmic.exe
Token: SeSecurityPrivilege	6064	wmic.exe
Token: SeTakeOwnershipPrivilege	6064	wmic.exe
Token: SeLoadDriverPrivilege	6064	wmic.exe
Token: SeSystemProfilePrivilege	6064	wmic.exe
Token: SeSystemtimePrivilege	6064	wmic.exe
Token: SeProfSingleProcessPrivilege	6064	wmic.exe
Token: SeIncBasePriorityPrivilege	6064	wmic.exe
Token: SeCreatePagefilePrivilege	6064	wmic.exe
Token: SeBackupPrivilege	6064	wmic.exe
Token: SeRestorePrivilege	6064	wmic.exe
Token: SeShutdownPrivilege	6064	wmic.exe
Token: SeDebugPrivilege	6064	wmic.exe
Token: SeSystemEnvironmentPrivilege	6064	wmic.exe
Token: SeRemoteShutdownPrivilege	6064	wmic.exe
Token: SeUndockPrivilege	6064	wmic.exe
Token: SeManageVolumePrivilege	6064	wmic.exe
Token: 33	6064	wmic.exe
Token: 34	6064	wmic.exe
Token: 35	6064	wmic.exe
Token: 36	6064	wmic.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: SeRestorePrivilege	5344	7zFM.exe
Token: 35	5344	7zFM.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe
Token: SeIncBasePriorityPrivilege	1788	Inj.exe
Token: 33	1788	Inj.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
5284	7zFM.exe
1500	msedge.exe
5284	7zFM.exe
5344	7zFM.exe
5344	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5168	KiwiX.exe
5168	KiwiX.exe
4316	KiwiX.exe
4316	KiwiX.exe
2568	KiwiX.exe
2568	KiwiX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2068	1500	msedge.exe	87
PID 1500 wrote to memory of 2068	1500	msedge.exe	87
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 2148	1500	msedge.exe	88
PID 1500 wrote to memory of 1556	1500	msedge.exe	89
PID 1500 wrote to memory of 1556	1500	msedge.exe	89
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90
PID 1500 wrote to memory of 3144	1500	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1GlP7oZxLvX2FfOYcBXipbE6wG6OH229K/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cf1f46f8,0x7ff8cf1f4708,0x7ff8cf1f4718
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,16560877442560277215,7795930335125584451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\kiwiX V5.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6140

C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe
"C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5168
- C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe
  "C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe" \Users\Admin\Desktop\KiwiX(V5)\inj.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe" "Inj.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\tmp7EFF.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp7EFF.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6064

C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe
"C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4316
- C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe
  "C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe" \Users\Admin\Desktop\KiwiX(V5)\inj.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe
  "C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe" \Users\Admin\Desktop\KiwiX(V5)\inj.exe
  2⤵
  - Executes dropped EXE
  PID:1388

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\kiwiX V5.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5344

C:\Users\Admin\Desktop\Hitler se\KiwiX.exe
"C:\Users\Admin\Desktop\Hitler se\KiwiX.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2568
- C:\Users\Admin\Desktop\Hitler se\Inj.exe
  "C:\Users\Admin\Desktop\Hitler se\Inj.exe" \Users\Admin\Desktop\Hitler se\inj.exe
  2⤵
  - Executes dropped EXE
  PID:5828

C:\Users\Admin\Desktop\Hitler se\Inj.exe
"C:\Users\Admin\Desktop\Hitler se\Inj.exe"
1⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\Desktop\Hitler se\Inj.exe
"C:\Users\Admin\Desktop\Hitler se\Inj.exe"
1⤵
- Executes dropped EXE
PID:5908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Inj.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
a00c3365e778d53e5129c63371ef368e

SHA1
0a2cabbca7c0af7f98a76498dc5a5421616f4d2d

SHA256
c1540dbcab2c7985d66a5674edb2fc1ddc5fbb9366428fdf584b1782c11f9819

SHA512
113ed663696606d83a32c8baaaf0987c620b90e611345f5b9ee09f679d94f6b687f81f56c89cad924c9b408529595cf3cedffdc615f30990928f69b1c2976f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ed71cc327a01f0f063423e9774ad4abf

SHA1
f358efcc73bb7e6fc5c19ca33ecfe5992b3d9d55

SHA256
9ced44bbe5761ec8c0e469f602a719b35e1f506fdd9d99b8f7274cafbb0e4345

SHA512
c75e1e99458ce12c4bce023a5ffbf17355ad2a600cded6526734c4235e3b94139e40328709e0f10b488a2aed3f6eaa0d08f9e3903865eedfdab660795840d947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75e3e60b5deeacf63545b89572fde339

SHA1
efed5bb1835fd4a2761ed6d3d8c72a46d851cc3a

SHA256
4fe410b51fa587b9b3980c7f759145569705e89eb5c190ad651da6562d2c7414

SHA512
64ce423ef5bc33a4a901e3cd4590289fbf65c7345bfc00769717304f8f17ed7a4ff3e0212df693bd1b6a480c69bc9cbc79146257b3eaa99e66bc7be143c1ea81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a8abc841bccce22802ed333ff58e0c5

SHA1
24dccfb8ef5285e6486c2c65910003bb5213da0b

SHA256
5a753cb104f19d586e5b399e88fd47425b21fae9a525a2803553cf075486a89a

SHA512
c71a969e0e5a80d291cdc2e557247474e5526c725652a1542a2b0d4b915ac30087ac572c3701acd802699fdb032c0024efa2869135c6995ef9d3202fad6f98c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e558ef82c26e40e5d9cbb573bd3e973

SHA1
4e92ea73c433b236ec77945979a057e1392a2421

SHA256
8307bf0e17409addc5b133e5f0818678612e8f0cc843de3dedc4e2f837f330be

SHA512
4d56bc71d78ada6465de1195b116300b0c344655f9373e65b5c12168a0422f102b6b20855944d92929790538c4cd1574dfb287bb83df0e81989544e6c9f1cb0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b58bfa97abc70740c4217dc8319efb5

SHA1
480449b826c18509c4de6c72c33e1a0c8e65ef84

SHA256
238f60bdea6e709a289a65cf5ed4af3e70bc60fd900b5c9f9babca068c793c7d

SHA512
2ccf496ba6a9c4789a063bae6115d54db482578a13a01b2a70789c9c42421ec89af1f770d6243cec0c6d2d17d75221a706d4991e2952960a1f1423eb4bdb0b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90eb7302980b4f18cb682ab47a1a03ee

SHA1
a66cdc353c4ef87106bf7c1a073dd0dbee30f19d

SHA256
15f1e815c2944a1f607be8f06e2e0215d772d9d15d8d769aee5ef07c966a5ebf

SHA512
635de88330bcfce24773e5cd28c158898c243ff8cdf560f3ba673cde6224c4754f65295c4fb84f57f25b3ca78e05a8656c11d84a54284c0ed11a0f7d1a72e499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68c91a0d70c463426f1acf0240685b8a

SHA1
d1c06ddc79f6ee8148bc25787b36f8fa4efbce79

SHA256
0953743cc567546a7cdf5cbdd33447e432a2203fc904d219b5da558240fbb55a

SHA512
1f3cc69b959b62fe025563b2004ee369be9ac3c701359e6b462a839c084d0c559a2f5cd1bf72e63f1aaee8a573d26e504381682612d36f1c3184eccdfd036651

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0E4BE439\Exec.dll

Filesize
6.9MB

MD5
1ed364cd6081f058fd52545e65f31fcd

SHA1
d3cb3660b497d0a6c2e75bd7e679fee3641272fe

SHA256
43830608991e3480dbd8cea33f7a968a388497df1bf2fe61d00ad60627231cbf

SHA512
6f79120e4976dc9a659008535a86f691c511eac9da8919617591a3ae595ba25879f9e3ba455ea8cbfe479d35bb7405264ebdfd599aeb518d9f4861fe4d69bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\DialogPower.mfx

Filesize
104KB

MD5
e7ee84c44aec90fdc7c8bfaa14238b1d

SHA1
04171b0ed715a1b0fb0cc668aedba75d88dd27d2

SHA256
2d0ee61ededcd628a8fa0227e2c7e6014f58f3edd7ca12101a4b80d016b282e3

SHA512
55d7cba57ef37f1274e67abb64786cbf91cfe1e9bb9b6e7ad4f120a3b840c861d427b2e49b1ed73276ac020d6f8e40a5e00e20dc7d489a729ed631acc1a7979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\kcedit.mfx

Filesize
32KB

MD5
a00acf3af0958898345fca9893cb6f57

SHA1
561717e33e2877fd0db99411265186ca468041bd

SHA256
b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad

SHA512
9435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\kcplugin.mfx

Filesize
24KB

MD5
f7851d2b959639cdb47b47022774f3e7

SHA1
a9b79f17ddd23ccfceb6dc7b8552627d7697bb0f

SHA256
19c2a0ed5f23954ea52f1afe135065aeb958c6230dc254b06e50acc8546c5266

SHA512
87e9680bb6da4e3dae9b0be5b41c2d69550788fdec3e9424656d3bf81cc354c47ac60eceef17b3755cffa8ad78dab490326123782ce0036ac088138b954dc94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\kcwctrl.mfx

Filesize
63KB

MD5
fa3aa3c51150eb5410dc3d74484d84bb

SHA1
3ffca600b9d8b2d580c99021c95e8c6400d9a824

SHA256
0666e52ea54bb2bdb81216443ea0787b8fcc6292b64d6bdf285eebf42e1bbae6

SHA512
81ec7ec2a5877d1b226dfb4ccc8c3946b61fb409d5c53c789e6f8c310a0dc0b3ce1681613cc110a5559540a0ab302e6c36a00d0df07acb41c5a7c35b37d4594a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\mmf2d3d11.dll

Filesize
541KB

MD5
839633898178f35f6de0b385b7de0ec7

SHA1
5396e52c45954f0953cc8cf2095b122f7353180e

SHA256
5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a

SHA512
b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\mmf2d3d9.dll

Filesize
1.5MB

MD5
c85bcc9f3049b57aa8ccbb290342ff14

SHA1
38f5b81a540f1c995ff8d949702440b70921acc5

SHA256
bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5

SHA512
5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF685.tmp\mmfs2.dll

Filesize
768KB

MD5
200520e6e8b4d675b77971dfa9fb91b3

SHA1
0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07

SHA256
763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b

SHA512
8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EFF.tmp.exe

Filesize
230KB

MD5
428a7c63eff6bc7ca12c5b424e393c5d

SHA1
ebf788ee78bcf18348375f0a68fcc22f08639938

SHA256
7748aab1e6ad0bab94f9a0e0c444302957fc5e345d207a10531ce34227ab8639

SHA512
c33e6d335dd18e56c9461d0acd983e96ec496bca1d7fa9523076535877e8cdd811179c7b792f4adbed25fde7ae04c46e5abc827f95a51a1a3b772de7f0988d0c

Download Submit
C:\Users\Admin\Desktop\Hitler se\KiwiX.exe

Filesize
1.8MB

MD5
854d22c88e49a719275643da96042b4a

SHA1
871bce4a24a3c18c0d6348ebfbf26e13a81b9a47

SHA256
8da85e7558bc4fc8b8b907cb3e771decd664356bbec9457978d024fc9001f2c0

SHA512
04c51785ecb25cef77589bb77c7b56116a7ba5419f485bf4c5d2b0b1bb6bd912851f7315ef6dfe5f4f52df0370561059eaaef030abcfe66bf6973f873c462d41

Download Submit
C:\Users\Admin\Desktop\Hitler se\KiwiX.exe

Filesize
1.1MB

MD5
3c32442689a3c0abbccf5853eada5229

SHA1
ec4b19cd9976bb64fe324f25efdf5c581e998cfd

SHA256
682d0ac9d605ee3aae7776ae9f684a07d9900e6a2c941359b2ad0dcf8e1de2a1

SHA512
407355f75e8a98d3a09f1a7776e2a0251ec59a10ee2253b14a1cdc1c9bce790d8ceb8e496aea0ebb94dbb2ae4bf83b502eb7a5ea926d04abf47938ba2d5ce40e

Download Submit
C:\Users\Admin\Desktop\KiwiX(V5)\Inj.exe

Filesize
37KB

MD5
a12b87737b9637da2adb6e45ce87aede

SHA1
a5de9fe0ae583763d14d596230b948527b22e7c2

SHA256
444f55f45bfcc215e864322f2e96ca4c4098fb53b2e6bb083bd37a6db76cc9c6

SHA512
2140671debd59d7b3267a9e5768ef4bff463ef2f1ed7172d7955236e216a0aefbb54fd6ca05701c728bbf6d16a902de9627aacb23aab7c9ef682e356a7f23bdf

Download Submit
C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe

Filesize
3.8MB

MD5
b367ab5cb8286aa0d4c3aeaa7204ad2f

SHA1
c5a2e63e604acd90226cb78a9de194e5ccacda0e

SHA256
c7e54e2ee5dc91af44b68090111569deed21397957f9335b392dd288ec40686e

SHA512
9054dfd48cc27670104ae004efcaf9960afad3dbb8b3d2d47c2d3a7e4731edb8b567f96d852a5d2f368063eb5caff537578837e78ab4dcacea669224ecce9a87

Download Submit
C:\Users\Admin\Desktop\KiwiX(V5)\KiwiX.exe

Filesize
2.0MB

MD5
c67cba144ce97bc8f91428f68aebf031

SHA1
3b6deff0334d382369031d246676141e0407dab9

SHA256
338eb734522f47cefcf419b7c617cc393710fd316a70190ca67a2179f7679156

SHA512
ec37426340ca9027040bd8c046c9e37a5b74c9d31db4c5f6ad16d4392a8df3709dce62bdcee2c37d6ed12079294d3d25986c5e8f7a404e71a3d1ed4322dd5f5c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 342391.crdownload

Filesize
8.7MB

MD5
da1a6d313725cda358caba7f36f9d92b

SHA1
9a796abcea1c1bff84b4f83e3a92c33cbb4a2130

SHA256
a91effea2d0a0717e9c0d2b91b338ab1caf38852e41c40c143060affdd322202

SHA512
84e420a887e36e48964d205f5efdd3402a2331f5da508d7cb4afdea6b4cecca22c0521d2499a59d3b3759e80ac7ee339f00c0af160b1c7058f223a8614ded16b

Download Submit
memory/1388-332-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/1388-338-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-333-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-331-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1788-330-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1788-285-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1788-334-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1788-365-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1788-364-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1788-286-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/1788-339-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1788-324-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1788-287-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1788-413-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/3476-328-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/3476-326-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/3476-327-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/3476-336-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-359-0x000001BA0B230000-0x000001BA0B270000-memory.dmp

Filesize
256KB

Download
memory/4544-361-0x000001BA0B690000-0x000001BA0B6A0000-memory.dmp

Filesize
64KB

Download
memory/4544-360-0x00007FF8BEFF0000-0x00007FF8BFAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4544-363-0x00007FF8BEFF0000-0x00007FF8BFAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5824-420-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5824-428-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5824-422-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5824-421-0x0000000001900000-0x0000000001910000-memory.dmp

Filesize
64KB

Download
memory/5828-416-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-418-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-424-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-417-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/5908-425-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5908-426-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/5908-427-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download
memory/5908-429-0x0000000071D40000-0x00000000722F1000-memory.dmp

Filesize
5.7MB

Download