a693fff41c4e738cfa6b7f0e9bcf51ae341b276b81189fa698f0c0ede4a8a54e

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kiwi X.rar
Size

28.5MB
MD5

0aa7defe6f32e1e2e024f62f72178af6
SHA1

d8d318688cbc73faac2adfd8609e110997ee2c68
SHA256

a693fff41c4e738cfa6b7f0e9bcf51ae341b276b81189fa698f0c0ede4a8a54e
SHA512

c8e0760d60495a2a9e8e7762132cdeba8ba535effbb58fdfc26fa3fb9b13404f92b7af85b54a185157b43bd5411d2d626048983f02b50cbf9610ce8aad570802
SSDEEP

393216:fvKurZfJU52CyQ59CZpTJFfLMSu3lu15+gsfNncYPpnDTYHN/HKpbQn5pRjq2Y5s:fvvZxky29C5VKY1P3YpD0VH9fFfiXc

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Kiwi X Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Kiwi X Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Kiwi X Bootstrapper.exe

Executes dropped EXE 6 IoCs

pid	Process
396	Kiwi X Bootstrapper.exe
2548	Kiwi X.exe
1892	Kiwi X Bootstrapper.exe
632	Kiwi X.exe
3300	Kiwi X Bootstrapper.exe
4828	Kiwi X.exe

Loads dropped DLL 10 IoCs

pid	Process
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe
4828	Kiwi X.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
42	pastebin.com
43	pastebin.com
61	pastebin.com
73	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1440	2548	WerFault.exe	104
2128	632	WerFault.exe	110

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
396	Kiwi X Bootstrapper.exe
396	Kiwi X Bootstrapper.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
1892	Kiwi X Bootstrapper.exe
1892	Kiwi X Bootstrapper.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3300	Kiwi X Bootstrapper.exe
2404	msedge.exe
2404	msedge.exe
332	msedge.exe
332	msedge.exe
5232	identity_helper.exe
5232	identity_helper.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3856	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3856	7zFM.exe
Token: 35	3856	7zFM.exe
Token: SeSecurityPrivilege	3856	7zFM.exe
Token: SeDebugPrivilege	396	Kiwi X Bootstrapper.exe
Token: SeDebugPrivilege	2548	Kiwi X.exe
Token: SeSecurityPrivilege	3856	7zFM.exe
Token: SeDebugPrivilege	1892	Kiwi X Bootstrapper.exe
Token: SeDebugPrivilege	632	Kiwi X.exe
Token: SeSecurityPrivilege	3856	7zFM.exe
Token: SeSecurityPrivilege	3856	7zFM.exe
Token: SeDebugPrivilege	3300	Kiwi X Bootstrapper.exe
Token: SeDebugPrivilege	4828	Kiwi X.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
3856	7zFM.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3856	4140	cmd.exe	88
PID 4140 wrote to memory of 3856	4140	cmd.exe	88
PID 3856 wrote to memory of 396	3856	7zFM.exe	103
PID 3856 wrote to memory of 396	3856	7zFM.exe	103
PID 3856 wrote to memory of 396	3856	7zFM.exe	103
PID 396 wrote to memory of 2548	396	Kiwi X Bootstrapper.exe	104
PID 396 wrote to memory of 2548	396	Kiwi X Bootstrapper.exe	104
PID 396 wrote to memory of 2548	396	Kiwi X Bootstrapper.exe	104
PID 3856 wrote to memory of 1892	3856	7zFM.exe	109
PID 3856 wrote to memory of 1892	3856	7zFM.exe	109
PID 3856 wrote to memory of 1892	3856	7zFM.exe	109
PID 1892 wrote to memory of 632	1892	Kiwi X Bootstrapper.exe	110
PID 1892 wrote to memory of 632	1892	Kiwi X Bootstrapper.exe	110
PID 1892 wrote to memory of 632	1892	Kiwi X Bootstrapper.exe	110
PID 3300 wrote to memory of 4828	3300	Kiwi X Bootstrapper.exe	117
PID 3300 wrote to memory of 4828	3300	Kiwi X Bootstrapper.exe	117
PID 3300 wrote to memory of 4828	3300	Kiwi X Bootstrapper.exe	117
PID 4828 wrote to memory of 332	4828	Kiwi X.exe	118
PID 4828 wrote to memory of 332	4828	Kiwi X.exe	118
PID 332 wrote to memory of 2680	332	msedge.exe	119
PID 332 wrote to memory of 2680	332	msedge.exe	119
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 4580	332	msedge.exe	120
PID 332 wrote to memory of 2404	332	msedge.exe	121
PID 332 wrote to memory of 2404	332	msedge.exe	121
PID 332 wrote to memory of 2624	332	msedge.exe	122

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Kiwi X.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1392
        5⤵
        Program crash
        
        PID:1440
- - C:\Users\Admin\AppData\Local\Temp\7zO01F4F787\Kiwi X Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01F4F787\Kiwi X Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\7zO01F4F787\Kiwi X.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO01F4F787\Kiwi X.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1388
        5⤵
        Program crash
        
        PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2548 -ip 2548
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 632 -ip 632
1⤵
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2988

C:\Users\Admin\Downloads\Kiwi X Bootstrapper.exe
"C:\Users\Admin\Downloads\Kiwi X Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\Downloads\Kiwi X.exe
  "C:\Users\Admin\Downloads\Kiwi X.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kiwiexploits.com/KeySystems/start.php
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc2c7046f8,0x7ffc2c704708,0x7ffc2c704718
      4⤵
      PID:2680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:2980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      PID:3848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
      4⤵
      PID:2640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
      4⤵
      PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
      4⤵
      PID:5508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
      4⤵
      PID:5380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
      4⤵
      PID:2484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,9471658819913158678,9839136173069942398,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kiwiexploits.com/KeySystems/start.php
    3⤵
    PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc2c7046f8,0x7ffc2c704708,0x7ffc2c704718
      4⤵
      PID:5476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_b3wih0esein5l0z5jywk04wd0i141d13\1.1.0.0\user.config

Filesize
800B

MD5
87946c5940249d12440b1cce22bfc7ea

SHA1
e0a1bc124fe907e8bc741a21d823c28e12c9ddde

SHA256
93dbec861a82964169fd542dd1cec94a0ffcf26712af353a4ee7a41962142dd0

SHA512
3d658b69475f1d1fff5281a0eed9e268ecaee23819d0e9c668e3128282f5569f44afa3af5aec3f58a4dbd75baea9ebb0e155840c66e7b6d0edb74a69db3561e1

Download Submit
C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_b3wih0esein5l0z5jywk04wd0i141d13\1.1.0.0\user.config

Filesize
906B

MD5
01b3e045880696941ed19da4d624f5c0

SHA1
7e0aa482ea6a7c2cf36270bc0f68ed790c0d30b3

SHA256
a478fff0adf4c6e9d451f091fd28c02ada52e5edd13c3292702ad6184ab007b5

SHA512
3f1de3403b679f33054d37dc2c657c380ebee62f35f7d80ac840fdea6948d2d709c5a2fcec687d486ec2fe10cf94304fe0a8246d58d93940e5c207fe9a7140f2

Download Submit
C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_qtkx2ykqmi14uo0xveu2szblmd1lmdzj\1.1.0.0\user.config

Filesize
310B

MD5
fc4bddde3292e03d5586f62d92189b1b

SHA1
ceeba68f267f5568b9b0766468724ff8b608d412

SHA256
dc981b12d99456f4676ee1352af94da5292cd618b416aeedc8d8ba5a492c3e1b

SHA512
94155fbd6e0f54fe282752d5cad19bf09c4835ce96a466a5a38bd7024ed1090d58ee672a0d5f09c918df2ee79c795c59ef79ca182213f78801cfc649760b3c73

Download Submit
C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_qtkx2ykqmi14uo0xveu2szblmd1lmdzj\1.1.0.0\user.config

Filesize
416B

MD5
d573b0eb98c6d04c74993871673fb128

SHA1
d1bef264405318467a8d82e6a9a2de816cf85459

SHA256
e38fe2de9ec915b66b5ba2f128fa3eea59d5b273abca60c999381f77d20779ad

SHA512
2d384a40a630cbc2d78e6fc1f832438d898f9e81c4650836dad32caadd871aa0d633b47446609610802e1c16925e476a944f5eeedcb8940ed677ce7ad849dcd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kiwi X Bootstrapper.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
19KB

MD5
022774085962b4896bad822446d32c27

SHA1
1018c5cedb30167e52bff642d153934cfb7ec5aa

SHA256
d514e64cfcc59bef32d6a8fcb92658a94c268588ee6a87957d6030028ab7ee42

SHA512
3e296d19439de90a512642b72fb00e053f4bd6b3eba2da469bd1b4d41789664f1d5710c4f2cd4d8b9de79f03c31eeae3decdf1d066304b87df1c3b2c1d5deef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
20KB

MD5
8f4f4a43d478db32b383b35475ae4a3d

SHA1
bf1ea27537bb3a3abb0b0b9f089b163c9a34f707

SHA256
fb3ba4d4a721bb8b52cd6623ee9353509bf7f069b19c16f59eecb1713e367808

SHA512
de43b3eb1c753623d591e067f0a8ed9ad33d760a0eaddc8d85a9edae5fa0dc8443e5127c86f51e7a2072cf894f5e3ac6da61880ec16dbd9889dfd079e80c2cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e5a9f77fba8dd7a8cd9e78a40ac49b88

SHA1
6ef666b151be091c32bdc9a4c50efae73e8da4cc

SHA256
5cacd1f44384fbe4eba6cf373d772773f9e436d1d915596d133c38709128ef72

SHA512
c82d8b91d02a5406bb03a654bed0daa4eb8e50ec0c7b4e8ff7a8679feb170a9e11c66c98cc713349dc86e8ec27fb215ba6cbbb3d91ed9d836ee01d17cb994df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
910d10a860d5199d85fae4ad61a6b3fc

SHA1
a1ece7fe247a10e01a86d2e8bdd1a791bb1c2476

SHA256
2b7b20492e1eb7c97db50a0e6ac7efc5b81066be0bae68f7f3470414e86b18a9

SHA512
5dc1b75b4380d7aeccacf49d07d46657d811a8514387545d9cbbb87d9e354277eda3e0608f545e30d849259e2547207d7f8f08157bcac62b49c62a145a068194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2ec2fc713777cae4c0f115d39af6aa66

SHA1
7547d1859f309d884e7546da537e7da62eab0a65

SHA256
55e1ba9a31955bd0045d54c92212ab3e52cebc29544642e2d6822173dce306fa

SHA512
07fa28b745478c112602963a752bdff4b03a09d4b3abc411cfa2632c9956ade7685be31bc238ff93b64d61e4f24a8fbcae5b3aa75476b59370c5d6931bc6ec90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4195578abc815d026215536f6ce7e26

SHA1
9c02abead9e768a48623c49836b2431b05a52157

SHA256
cd463841688d4f068b4aa999120450c86cd916e4ecd037bf548ec47fa047a1a5

SHA512
7bae12512584381c6a9ebbc53a092df6e8f98757f19eef26366325525baf1c62f5df87f0bae7b3d695ccae92426221d00804896a2ebe76accf2d25bf05b731ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
108c6fe0f247fb8e23daf7e417f8dd48

SHA1
903ad719a0f388234597114d2533b6a52f2c988e

SHA256
bddfc1558d914f32fbb57121bd0e210a7a64949b58aff33e859f279b77ae0006

SHA512
491c75b45929b17446f15d6967882c16ce51eec768306b816f931924d4b2bcec696cd16b8f2b4b4d17b921142e0b3376baba8afdf9ef49482cb861524ab956af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b7f4ee04620e7e344f975851f11a4c0d

SHA1
5978590325583ff55e5714019b039541b6c864e1

SHA256
14d89d813ce46313a611d7f6c00ef1969985c6c87826acde25f020a862576f48

SHA512
063c4a3d5f1580a9562c31569b8f9436923c706750eee8ac06cfd621d5450adc5637c239feb8cea9873ab2084874b02519b530d77c0ec0d371a17978719a2117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b9f501ad7e37d6ae032f0c1c9ce8ccde

SHA1
cfac074f109be288d8612325c930ef279c419eed

SHA256
ad01c5325c5cc21ed2def5498eedf50d83421980cd4b7fa8cea076f9ac8c6aea

SHA512
a0414d315ba7b5e271f07b6f541702888f5ecebb34d1615e527599d5c0c01e309d4003a5f4bff32602e0cc39a40ea988194c8c532cdff22c140995959058e01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fcbf7e97dcf80c3894fa0e281670361f

SHA1
dcdbbe0d74e0e1a816a2a68cf049fd356d7f0344

SHA256
d810a19de06f07f5cc19d67d88f8c411a381645e65c0e04adfd040cd5da6d166

SHA512
3d1913d797be58749f6da7ec7d41542ae55dd71eee09e3a3b111da822c22c775af6d66ea21a1315342224c8bee887c6489aae61a3623c2c8d48148b992f9e392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57d9374ac86b32a4d6746c21601045d8

SHA1
a0f4cc70ce1e67280b04ec2edef6d142e5a304aa

SHA256
304e3372d821e528d50807ed2f4a7f191be1a0395aecfd85a5860e287275868c

SHA512
b5e4d48d9450cffe5241202e9a4539c26c8e1044a740e57f12e4a85db9b0be0927a32486f901eb5025e898d049cc714471746b79637f9ae2d7648eb4ee3f8c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5913bd.TMP

Filesize
1KB

MD5
a457ac1dda894199afaaefd41832c4d1

SHA1
75fd5cc8bcc708e39b23402dc91086004e51838f

SHA256
87db0ea9428cb89ed99d5901a60f27315e22223572a883a7eb6b379dd8cc1a27

SHA512
d3948e437e657ffec7a42e2c8b0c1e6aac19a9a48c3ede8b033125398b3e8ee0200b592db971ee46511a3c8bca508faca3f4c36c8422f75c603bb53f796095d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
17KB

MD5
aab2532f8363e63359dbf0c31981f57f

SHA1
a21523eb85636a0455977ffe525260a1a8568043

SHA256
a6abef5f074c67b1f9fbee679151a4c705b71f054c98f720dfabdc65786d5d13

SHA512
7b3c4ce6574b36bf0d4e05bba1063798b525744fdb37b28ad6fc78456ef7d704677795ae4dd0d0eda0954d15b3776395fa931abf82dd4b64583c360dd9916f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66cbf09e4cf6a3e2474de5bc0d5f2d63

SHA1
30af8b577669efcf19e8fbd3d99dc8b757acae10

SHA256
fdb2eb8b8247d60a0d36355d2baf8f364fb1563015981faaed386fd0f2048dc2

SHA512
2693132714b789d37b09ace68c6b88dae40864ca1b5c9e162857b29104000748128f2327aceab766592779f7cbad3201130875c85ab5a00d2e2c2d5d9781cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X Bootstrapper.exe

Filesize
178KB

MD5
9f07ff71a41d0707a88c679aeead9bc1

SHA1
4c003b20f81fda703383c3751ac2bdeb41a57987

SHA256
4d819c0df101498676f943c688edcd812161be8e82fd2a1877b5690cd3679ca9

SHA512
c1537f0050fd22edcbd5e47bf4c13754a9126ebe897a2be42d45e302e1dbad2da69af0487a3d2eb373184ddb1c682dbef27ddef616faf5f0c19bd566ae767d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01FE6847\Kiwi X.exe

Filesize
3.6MB

MD5
fec7d6eb28d5a5f7efa5c9ea650bc707

SHA1
1648cdc041fa877a1673f89e8bba55c907ebb482

SHA256
38dc036fe74786370f66ac38cd66f6a4e7afee80380e5253807fa3fdf1457020

SHA512
5562ef46650fc97340cbb17ae7f825a97167e183be90286f8e13b8528019c89f28ac10b94d0fb3ac4c1cae2363a1a734fcca3fb5f8b0ce24cc5f1bc298fbee39

Download Submit
C:\Users\Admin\Downloads\DiscordRPC.dll

Filesize
79KB

MD5
ad463f573775c43a561ade842c41b0e8

SHA1
e70e10a18a3ae85cd1ca9be66a7bb46d99ccccd3

SHA256
6a18dfc8bdc6030787b5814c76b8663dbe5b8ca469beb65a2ca9f5731fa1906f

SHA512
0c790e70150148f4cc516cc9abcdf42a5b28a0785a61cd02ab7d59776df25eaeea287c98522d4b3271cae8bf35f98d91049c6474e81cc2745dc32a808832efe0

Download Submit
C:\Users\Admin\Downloads\Kiwi X.exe.config

Filesize
1KB

MD5
1f48b296eae19f30d6abdd9e1fbc1a14

SHA1
8529346e5c926a9f4ded49320873f70ec6a7f9d0

SHA256
97ca967656db09e3d7046339e5c9e774c179a8d9d7bc72584eb5a8071871c2ec

SHA512
c69e5e0b82a27596bc5e2481d580fdd5588036eec6fc13de31e1dfdfe9a6b81882a69c43a3f3f2f145cf17a55cfb2ce4cd28c21291935fa13336a379f040a7ee

Download Submit
C:\Users\Admin\Downloads\KiwiAPI.dll

Filesize
9KB

MD5
8c77aea0a5007895eaf6a1bf858d1f7a

SHA1
645b7a55f9aa13ffc8ea9921117df1784311c3d9

SHA256
8229e7d6d60f2d7adcbe6fbf43125bd6db1ddb0ed1ed292abed532c4c59d1772

SHA512
e69390824fcb7fe63987170b342a74950278eadae5a36538b95ba24f8d710f28adfb42dc419fd11f2aab3741aa7033624fbe73c5a78432809cc33b1c887b6a76

Download Submit
C:\Users\Admin\Downloads\Microsoft.Web.WebView2.Core.dll

Filesize
404KB

MD5
1475cf2b02eec671df896caa09c987ea

SHA1
636ae4d95c4c6cb163bc43e65216d7ee95ceacdf

SHA256
48067eff4963d35a62da51364f886adfe266461dcc49689d63af99e8fd38a0e2

SHA512
db4ea22771d8895f6fcef4dcd74682c6f6f145cf8336f9b139078f4fa2fa316f87351d1fcada8645e2eb7e0dffa6aad7a21da479d7918b73d1ee301b1fa2843b

Download Submit
C:\Users\Admin\Downloads\Newtonsoft.Json.dll

Filesize
694KB

MD5
60be12d21a15106d15286398b00e7172

SHA1
92559df19edd14b6ccd88ff394c6a18f86acd3f6

SHA256
3719bdb7856342943273b37db921b0c30edd59cc33e32fafad4a63092454de66

SHA512
fd333ea6932585cb06473f425297dce46b2c265966b9ab238c19e4d7edd5c4f79990efa723af1fb657ef8e7232cd7d8caddd3d6ca02f14fe520804407fcc64fa

Download Submit
C:\Users\Admin\Downloads\WeAreDevs_API.dll

Filesize
307KB

MD5
910d8f0c06cf80204029e2f1134e8372

SHA1
1e8111a3af237e2904ff401c83b59898ab0f7985

SHA256
5353f8e7cb55cd8c2a3a9a2b0a9d06e322543e80dee38727ca5436eba5138553

SHA512
6267f6b0b15c4b58ff49d13faf4de947f0deeb6c978b2ef53a7fd84a7d3c1813b507de709dff72adc4559ad9e6a8e9ace91f16c6cd7bdc9869d991960cc51310

Download Submit
C:\Users\Admin\Downloads\bin\workspace\Self Bot RMA\saved_admins\Here.txt

Filesize
23B

MD5
118e5315caf3e357c30c45affa9e8e3e

SHA1
114e3cf096058a901a98443adb14aa035edeb7ff

SHA256
b52f4b1df7c635df62bbce27293474403020fe68b0f66d9547e170f3e6efe482

SHA512
c8f74cdef19ab610bf2f1d39b6f8b06c28669f39c281ef230cfec6ef596f4902a5b6f19abc07ae6bc6ce2c02c29107c3840037d9f24fbc8661d27e0bf359529f

Download Submit
C:\Users\Admin\Downloads\bin\workspace\Self Bot RMA\saved_blacklists\Usernames.txt

Filesize
27B

MD5
7dcb7074a3da5cc9caacc305db15f3dd

SHA1
f72eee6a207fdd5d9d1881dec34fc2d57fe41a4b

SHA256
39a03b432aeccd71796d0494dad5e9e2c11344ea2b03577e5c8140f1941fc211

SHA512
d78565fb1d81d17da53d61544ee6bb1ca2ae5022749e2f3b155b4b5bf070cdb00a18996faaaf8150b5715f05d37f41692f0ca9e9ef0136e3d5a8efd4f2318ebf

Download Submit
C:\Users\Admin\Downloads\bin\workspace\Self Bot RMA\saved_points\MegaJacob3072.txt

Filesize
2B

MD5
c0c7c76d30bd3dcaefc96f40275bdc0a

SHA1
e1822db470e60d090affd0956d743cb0e7cdf113

SHA256
1a6562590ef19d1045d06c4055742d38288e9e6dcd71ccde5cee80f1d5a774eb

SHA512
e62b01e8497ab6b7d89432599e21804eca278bb4a9c4b6ef5f7bae00bd5e45ae6c8cf3a18b74296f9a8e69cd2f416a8f41eeb2128f4e280ecf438ffef6244e14

Download Submit
memory/396-13-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/396-12-0x0000000000370000-0x00000000003A2000-memory.dmp

Filesize
200KB

Download
memory/396-14-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/396-27-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/632-75-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/632-76-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/632-77-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/632-93-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/632-74-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1892-73-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1892-61-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1892-60-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-28-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-32-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2548-31-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2548-30-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2548-29-0x0000000000210000-0x00000000005B6000-memory.dmp

Filesize
3.6MB

Download
memory/2548-46-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-416-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-430-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3300-417-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4828-467-0x00000000062D0000-0x000000000633A000-memory.dmp

Filesize
424KB

Download
memory/4828-468-0x0000000009FE0000-0x0000000009FE8000-memory.dmp

Filesize
32KB

Download
memory/4828-463-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

Filesize
32KB

Download
memory/4828-455-0x0000000006050000-0x0000000006100000-memory.dmp

Filesize
704KB

Download
memory/4828-678-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-681-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4828-682-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4828-685-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4828-469-0x000000000A330000-0x000000000A368000-memory.dmp

Filesize
224KB

Download
memory/4828-459-0x0000000006100000-0x0000000006154000-memory.dmp

Filesize
336KB

Download
memory/4828-471-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4828-433-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4828-438-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4828-470-0x000000000A300000-0x000000000A30E000-memory.dmp

Filesize
56KB

Download
memory/4828-431-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-437-0x0000000005880000-0x000000000589A000-memory.dmp

Filesize
104KB

Download
memory/4828-432-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download