njrat | hxxps://oxy[.]st/d/ZHMh

Analysis

max time kernel
174s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/ZHMh

Score

10^/10

njrat umbral hacked evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

having-jackson.gl.at.ply.gg:56522

Mutex

7c148ac38012fc3caa04b1bbe75feba0

Attributes

reg_key
7c148ac38012fc3caa04b1bbe75feba0
splitter
|'|'|

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe	family_umbral
behavioral1/memory/2788-541-0x00000213A9000000-0x00000213A9040000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Drops file in Drivers directory 1 IoCs

Processes:

tmp8543.tmp.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts tmp8543.tmp.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1980 netsh.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tmp8543.tmp.exe

pid	process
1980	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KiwiX REBORN.exeKiwiX REBORN.exeInj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	KiwiX REBORN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	KiwiX REBORN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	Inj.exe

Drops startup file 2 IoCs

Processes:

Inj.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe

Executes dropped EXE 6 IoCs

Processes:

KiwiX REBORN.exeInj.exeKiwiX REBORN.exeInj.exeKiwiX REBORN.exetmp8543.tmp.exe

pid process

3536 KiwiX REBORN.exe
4064 Inj.exe
368 KiwiX REBORN.exe
4416 Inj.exe
3736 KiwiX REBORN.exe
2788 tmp8543.tmp.exe

Loads dropped DLL 21 IoCs

Processes:

KiwiX REBORN.exeKiwiX REBORN.exeKiwiX REBORN.exe

pid	process
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
3536	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
368	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe
3736	KiwiX REBORN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Inj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\Downloads\\KIWI X REBORN\\Kiwi REBORN (free)\\Inj.exe\" .."	Inj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\Downloads\\KIWI X REBORN\\Kiwi REBORN (free)\\Inj.exe\" .."	Inj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

223 discord.com
224 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

214 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
223	discord.com
224	discord.com

flow	ioc
214	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3184 wmic.exe

pid	process
3184	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

KiwiX REBORN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	KiwiX REBORN.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1720 PING.EXE

pid	process
1720	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeInj.exetmp8543.tmp.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exe

pid	process
2228	msedge.exe
2228	msedge.exe
3880	msedge.exe
3880	msedge.exe
668	identity_helper.exe
668	identity_helper.exe
1744	msedge.exe
1744	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
4064	Inj.exe
2788	tmp8543.tmp.exe
2788	tmp8543.tmp.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
2568	powershell.exe
2568	powershell.exe
3120	taskmgr.exe
3120	taskmgr.exe
3080	powershell.exe
3080	powershell.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
2816	powershell.exe
2816	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeInj.exetmp8543.tmp.exewmic.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeRestorePrivilege	4764	7zG.exe
Token: 35	4764	7zG.exe
Token: SeSecurityPrivilege	4764	7zG.exe
Token: SeSecurityPrivilege	4764	7zG.exe
Token: SeDebugPrivilege	4064	Inj.exe
Token: 33	4064	Inj.exe
Token: SeIncBasePriorityPrivilege	4064	Inj.exe
Token: 33	4064	Inj.exe
Token: SeIncBasePriorityPrivilege	4064	Inj.exe
Token: 33	4064	Inj.exe
Token: SeIncBasePriorityPrivilege	4064	Inj.exe
Token: SeDebugPrivilege	2788	tmp8543.tmp.exe
Token: SeIncreaseQuotaPrivilege	3028	wmic.exe
Token: SeSecurityPrivilege	3028	wmic.exe
Token: SeTakeOwnershipPrivilege	3028	wmic.exe
Token: SeLoadDriverPrivilege	3028	wmic.exe
Token: SeSystemProfilePrivilege	3028	wmic.exe
Token: SeSystemtimePrivilege	3028	wmic.exe
Token: SeProfSingleProcessPrivilege	3028	wmic.exe
Token: SeIncBasePriorityPrivilege	3028	wmic.exe
Token: SeCreatePagefilePrivilege	3028	wmic.exe
Token: SeBackupPrivilege	3028	wmic.exe
Token: SeRestorePrivilege	3028	wmic.exe
Token: SeShutdownPrivilege	3028	wmic.exe
Token: SeDebugPrivilege	3028	wmic.exe
Token: SeSystemEnvironmentPrivilege	3028	wmic.exe
Token: SeRemoteShutdownPrivilege	3028	wmic.exe
Token: SeUndockPrivilege	3028	wmic.exe
Token: SeManageVolumePrivilege	3028	wmic.exe
Token: 33	3028	wmic.exe
Token: 34	3028	wmic.exe
Token: 35	3028	wmic.exe
Token: 36	3028	wmic.exe
Token: SeIncreaseQuotaPrivilege	3028	wmic.exe
Token: SeSecurityPrivilege	3028	wmic.exe
Token: SeTakeOwnershipPrivilege	3028	wmic.exe
Token: SeLoadDriverPrivilege	3028	wmic.exe
Token: SeSystemProfilePrivilege	3028	wmic.exe
Token: SeSystemtimePrivilege	3028	wmic.exe
Token: SeProfSingleProcessPrivilege	3028	wmic.exe
Token: SeIncBasePriorityPrivilege	3028	wmic.exe
Token: SeCreatePagefilePrivilege	3028	wmic.exe
Token: SeBackupPrivilege	3028	wmic.exe
Token: SeRestorePrivilege	3028	wmic.exe
Token: SeShutdownPrivilege	3028	wmic.exe
Token: SeDebugPrivilege	3028	wmic.exe
Token: SeSystemEnvironmentPrivilege	3028	wmic.exe
Token: SeRemoteShutdownPrivilege	3028	wmic.exe
Token: SeUndockPrivilege	3028	wmic.exe
Token: SeManageVolumePrivilege	3028	wmic.exe
Token: 33	3028	wmic.exe
Token: 34	3028	wmic.exe
Token: 35	3028	wmic.exe
Token: 36	3028	wmic.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: 33	4064	Inj.exe
Token: SeIncBasePriorityPrivilege	4064	Inj.exe
Token: SeDebugPrivilege	3120	taskmgr.exe
Token: SeSystemProfilePrivilege	3120	taskmgr.exe
Token: SeCreateGlobalPrivilege	3120	taskmgr.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeIncreaseQuotaPrivilege	3368	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exetaskmgr.exe

pid	process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
4764	7zG.exe
3880	msedge.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

KiwiX REBORN.exeKiwiX REBORN.exeKiwiX REBORN.exe

pid process

3536 KiwiX REBORN.exe
3536 KiwiX REBORN.exe
368 KiwiX REBORN.exe
368 KiwiX REBORN.exe
3736 KiwiX REBORN.exe
3736 KiwiX REBORN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3880 wrote to memory of 3376	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 3376	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4640	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 2228	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 2228	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe
PID 3880 wrote to memory of 4636	3880	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4524 attrib.exe

pid	process
4524	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.st/d/ZHMh
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86b8446f8,0x7ff86b844708,0x7ff86b844718
2⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
2⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
2⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
2⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4886587297389301206,11069628981579395972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KIWI X REBORN\" -ad -an -ai#7zMap14163:88:7zEvent24127
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4764

C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe
"C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe
"C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe" \Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\inj.exe
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe" "Inj.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1980

C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe"
4⤵
- Views/modifies file attributes
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
4⤵
PID:4800

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
4⤵
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
PID:3344

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
4⤵
- Detects videocard installed
PID:3184

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe" && pause
4⤵
PID:4640

C:\Windows\system32\PING.EXE
ping localhost
5⤵
- Runs ping.exe
PID:1720

C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe
"C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:368

C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe
"C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe" \Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\inj.exe
2⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe
"C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
936B

MD5
12b4bb52a4e4bcdb4c8af0cbf2aadad9

SHA1
5d4a3fc8c3bce1ee727dbafc2e2ac6877d1496b9

SHA256
fcefe742eb39a855b657e5268cd710573637b125afc65e10b637810764029eaf

SHA512
d8ed55193c9face227876d7e492b95891ae242864db22c384411ecc2264bd9dd8673f1cd28f3562917d910188dd2f2a8fcc4d74536f52a6e4852cfd02cb692cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
af2fd8bee159d8915aa5a4e5c280a2b2

SHA1
f5b9999c265c8a377179aa70a68b4b2258398b69

SHA256
71b3ba4ba64d4f60240768f912cb3d3d06e64c51e4f9cac9adf3732652011a52

SHA512
249bfde0717ce5237a3eba376260bde0a48828279159f12b6dd76c61ebb4d39279529f080d5d9a4e497dbe22554199e2bef351850d388b01ca249ddc4ce5b621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
3KB

MD5
cc1bfc7e49d341cffb9f6caa1f96ba83

SHA1
d51e46bb7158540c71fb39fe075fc3f5c2cdb7ca

SHA256
5ed40f6c1abdf2009b4fc31f2696de4c87006ef0cb4011ff6ce2b42efbda6f0b

SHA512
286a4160556d9e7f6cba6c0a580aeb83903bee0aa69b934ffd14e288cc17b7c31ac169d2accff2b72aa0622e0ae3c4fa3a2944c428fe9f7fba7a9c6a57a59e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
59b72cb8a56ba43823a7ee133ecb7dff

SHA1
23ee8543aec3e01c0e510b1a11c970b384291486

SHA256
11b595c9c223dc1cff5427466f41ed0f99a6218a506b8be62f64170c3f3a32b4

SHA512
84f30c0f285c23d60322e42da44a83205e79d8a5f8cffc609b0021293d1e3fd10c518a889a8a7b420bcae86492fd6f1eda51a09c28112b2147cdfbf64e7582c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
ae360d5765023896aa2ac02032cb9c7b

SHA1
c1310e9cf7bc0afadf98ae049f1b20fd33f306c2

SHA256
ffcbd9d02e02bbf8474e16732d4696e5c7a5ef9071d6853b36713fcad416ae48

SHA512
94bdd722718c444d44f0c0fa495906b5a30b74fee12e0dbf1ecfa7d681918ea675f21d861d3a11362f0cb942b4a95d780b0320b50b57b78e639ca03ba1fee380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
d7fe5f196a9eac8f4fee2565a7f0f2de

SHA1
bbb0566c2d49b8591ccaffa631c3c0e7c727239f

SHA256
187b7c61aed1ce54db08d7b8c84cd05419547d95a7a37795fa7f900e57a7ffd7

SHA512
65bee73ea38b6b7ac4d6d44244fd185b6421f954e1301e5254ececc21660d62b7c7b79b102114f9b22c5b4de9f715635dbfa770542ccdde355dadf457019b6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
6451ca7b0f630da4f4821c0497f1bfe5

SHA1
a38584da47c25286e9896df7c661ed27d9eed4ca

SHA256
2aa880af1fb8a60e9ad7a175b066c527b68763914724a60bf2f445b6d07333e6

SHA512
59c9e88f2b4459e95cd45fc7bc98488c90e7253e2614499442df2c816b506b474f9889c18b2fd91987a6a74ba22cc863528109980c76a46c9995356005b07182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a958ea0202f83fda7f9fd8ab127114f7

SHA1
1b0d4bf4baf222eef63d7f0aeb5c0784d495123d

SHA256
ad035d13f37a1eeef214e0e4e6ce7d49c3c00ff2923ff958f2c2436b4a4988ad

SHA512
3be8a50d364ba8ab7402176a2d47455c5b179dc97576850c148dc8e4fdaa88e682e015d6ef7f82583daf9de2f03c7ba0ef97340cac003c26b7d653a882ad4c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3bca40e93cf61247d8e46a1819d85313

SHA1
e283733dd0a3616e72bf46965458fda785875fad

SHA256
20d341885ae4f083953f0454c9516f2cd6218f9b266adfe3e66593956890164e

SHA512
79042250e2d20de565120ea4b21d2da10268c7332a66287ea91c4331fcacaed66235caf620ba6e2f2c17ad8130d76f47ce19dd0f1c0ea332fd530428c597a908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
bfdb5f11dec35b2ee26f7621ce41cd98

SHA1
2ae6630eed2761b839da5ee4cbcc240c9d291b85

SHA256
c0e10c138405e49b0e13091a76331fea948fc2ee9efbb75d9d89f200a476b629

SHA512
aaabf7003a6eaf8b7e8b2c851d77a23ece8260939fcb4ca18ef438ccc39a6f31a1971e2a2d9ea3611a8e33de57a7878b7ee0e49317751cb6dee943aec8b69c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
1c6cdcb9bc56fbf89de9a3b1172556f3

SHA1
9cf088d5b15fba877d673f251c44d2fbf4b5a87b

SHA256
d35626063a43e3add5b68bd1a7a23ccaabb579ca4518e87050f42a8815a63131

SHA512
9f21accec9736c62f50492feadc6f355f8e32148979c7993f4d1d091377593c06deb07fe7b9ddb333cb2fd90ca066a81b3421bd37ff325ae2cc81b69c565524e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
22eff786a855307ccd29cebdfc5ed07d

SHA1
27e9be00efedac6d1b0ee27dcb0f2f2c21871d9c

SHA256
1b730b8bfd365d6e29f2da8b868dd2ec6d531042f32c4687ac86cb4096003d42

SHA512
23fa5fbcaa4ea2029ff2b620396b863c71249e998637837c084bc6430d6b8a251b7dcf4df8a63773fe7d2016ac9535d42381ade978bfacf2763c229aa9f35040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
3600feb87532f9f84a01b6a91cab5bfc

SHA1
4758d7abda6201b453e4dcc5fc51392fee95c38d

SHA256
a6ebdc3cebc0704e1a86f011a6b03d3549db2b11ad0d81bb30facff1a166df1d

SHA512
e6a13a3548589a355a2d0e3e953a94978071d2c92567c9d508aac243a6b66a6da56ffd0b4db77c19cc645a318fc67aeb100e972fc67914dffcdf6b02a071bb1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fabfa26df638ebb375730f052511f2a4

SHA1
b91867321cd6abff699f0770777f177c6ad6747e

SHA256
67818e0535e66683e56d4d4421d742c9f4f3363780e5dac01b0ef524fb3d7390

SHA512
1cff170398d4ed9714c4fda65f016e906821e6e8fb599061597175365c1cd6d5bd31cf2c53ee29be93219501352168266f3470871ea648ded1287876dc6ed070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0710c80147bf4ce0ea52a921d18aeb14

SHA1
92c6cd30dc3374db126d866f556cb996fcb3bc0e

SHA256
2bd0b2eed264474853145e06879c071297a8975ad1b9b3a304824de4cc2d5f68

SHA512
0ece7a85814ddeffaa02f57774739314f49f9f376981945945b79b3a630a840031ef3a87abd0ed5e7e0f16eea7e5f9582c4acdaf30608667ffd7e00adbca4429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ef9be8978e4d1770382b552e8f14c197

SHA1
ec937e04ca440f1d289f12a37364adcb832df49d

SHA256
910ec053a886c592c665dcde8a35cb7e8ee70b32dc30c0fe289996b6fc6dd3d5

SHA512
60977e1b0c0c55991414b789c846b4aa740766cee3fb5f93e101ba41d1dfe57ead6894ed64eaf0a0d4b61bca2685d057bfe7aeb2d402d9bb03ba6eef96825c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
9390b66cebc6c006ad29783078ac920b

SHA1
a61c048a788c8821ac024811fa693d2259499cf5

SHA256
a749a95d2101f05dfc26c1045f2d7324e1a8f30c7a1e13eed18ab5f9c2b73d3e

SHA512
65c2658215753f5d6de2affbb93ab15a62d6d9106b79e4c049cdeb885d52332825aa2d62eeb4f0b312eee3a4f01ede6f9e2caa10e12b269fe81178d878cc4cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6f60f6c933ce30523f344796dd24a541

SHA1
97dbbeb5830da933fda846298e0947a940bb3653

SHA256
5cd231726837fc0efefa904db074cc8411dcee447191d013a2ed623a38b7770c

SHA512
614a6913a51fb6c35e95190cace5b48e5ca0d1938fa7a6518f03422c838b0d70ca50f7043d9ef24172cc0b1eadf935c5b2c5a859f580288bae4dde8e9d83fe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qpkfraak.0p0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\DialogPower.mfx
Filesize
104KB

MD5
e7ee84c44aec90fdc7c8bfaa14238b1d

SHA1
04171b0ed715a1b0fb0cc668aedba75d88dd27d2

SHA256
2d0ee61ededcd628a8fa0227e2c7e6014f58f3edd7ca12101a4b80d016b282e3

SHA512
55d7cba57ef37f1274e67abb64786cbf91cfe1e9bb9b6e7ad4f120a3b840c861d427b2e49b1ed73276ac020d6f8e40a5e00e20dc7d489a729ed631acc1a7979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\kcedit.mfx
Filesize
32KB

MD5
a00acf3af0958898345fca9893cb6f57

SHA1
561717e33e2877fd0db99411265186ca468041bd

SHA256
b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad

SHA512
9435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\kcplugin.mfx
Filesize
24KB

MD5
f7851d2b959639cdb47b47022774f3e7

SHA1
a9b79f17ddd23ccfceb6dc7b8552627d7697bb0f

SHA256
19c2a0ed5f23954ea52f1afe135065aeb958c6230dc254b06e50acc8546c5266

SHA512
87e9680bb6da4e3dae9b0be5b41c2d69550788fdec3e9424656d3bf81cc354c47ac60eceef17b3755cffa8ad78dab490326123782ce0036ac088138b954dc94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\kcwctrl.mfx
Filesize
63KB

MD5
fa3aa3c51150eb5410dc3d74484d84bb

SHA1
3ffca600b9d8b2d580c99021c95e8c6400d9a824

SHA256
0666e52ea54bb2bdb81216443ea0787b8fcc6292b64d6bdf285eebf42e1bbae6

SHA512
81ec7ec2a5877d1b226dfb4ccc8c3946b61fb409d5c53c789e6f8c310a0dc0b3ce1681613cc110a5559540a0ab302e6c36a00d0df07acb41c5a7c35b37d4594a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\mmf2d3d11.dll
Filesize
541KB

MD5
839633898178f35f6de0b385b7de0ec7

SHA1
5396e52c45954f0953cc8cf2095b122f7353180e

SHA256
5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a

SHA512
b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\mmf2d3d9.dll
Filesize
1.5MB

MD5
c85bcc9f3049b57aa8ccbb290342ff14

SHA1
38f5b81a540f1c995ff8d949702440b70921acc5

SHA256
bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5

SHA512
5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA96A.tmp\mmfs2.dll
Filesize
768KB

MD5
200520e6e8b4d675b77971dfa9fb91b3

SHA1
0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07

SHA256
763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b

SHA512
8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp.exe
Filesize
231KB

MD5
211994ee8cb49643fd5204d606029e53

SHA1
1fb2d311f596e283b519606a233195b7ef2d78c3

SHA256
01c07b796ebd9ccc2acc467ff44f9a4d7e33473d0b3c69e23b3b89608b8e59dc

SHA512
0cf8ba8420e8f337b06b89a257a62563d86124ee4a30160f9815f244594159df44a957eca7cfd6a8443dd8dd371636d4972faa9cf1180fee9eafc87ddf2cf853

Download Submit
C:\Users\Admin\Downloads\9fbeeee8-21e4-4c23-aae4-dac8adc7c905.tmp
Filesize
8.7MB

MD5
d926139e87ea0093ae90a7528e0cc05e

SHA1
6e6734b1028de7c39b2eb0729bc1908c042ef3da

SHA256
41404fb75ff6a5a1b79830bbeee3045f12b2f43134318b0b219c45da3b940bb1

SHA512
0d0af12bbb2919ec76ef72efd201acfa774d16c2a0eff7229f19be0bf2a03cab6da81f13ed9fd58d13b4c2a3b2eab661ac37833a1abbc18fd803ed1bea9dd164

Download Submit
C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\Inj.exe
Filesize
37KB

MD5
ad8378c96a922dcfe813935d1eec9ae4

SHA1
0e7ee31880298190258f5282f6cc2797fccdc134

SHA256
9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98

SHA512
d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

Download Submit
C:\Users\Admin\Downloads\KIWI X REBORN\Kiwi REBORN (free)\KiwiX REBORN.exe
Filesize
3.8MB

MD5
b367ab5cb8286aa0d4c3aeaa7204ad2f

SHA1
c5a2e63e604acd90226cb78a9de194e5ccacda0e

SHA256
c7e54e2ee5dc91af44b68090111569deed21397957f9335b392dd288ec40686e

SHA512
9054dfd48cc27670104ae004efcaf9960afad3dbb8b3d2d47c2d3a7e4731edb8b567f96d852a5d2f368063eb5caff537578837e78ab4dcacea669224ecce9a87

Download Submit
\??\pipe\LOCAL\crashpad_3880_NSNGSIVRYDZSMSLN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2568-719-0x0000025F05A10000-0x0000025F05A20000-memory.dmp

Filesize
64KB

Download
memory/2568-718-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2568-715-0x0000025F05A10000-0x0000025F05A20000-memory.dmp

Filesize
64KB

Download
memory/2568-701-0x0000025F05A10000-0x0000025F05A20000-memory.dmp

Filesize
64KB

Download
memory/2568-700-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-812-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-541-0x00000213A9000000-0x00000213A9040000-memory.dmp

Filesize
256KB

Download
memory/2788-724-0x00000213C34A0000-0x00000213C34F0000-memory.dmp

Filesize
320KB

Download
memory/2788-727-0x00000213C3530000-0x00000213C3540000-memory.dmp

Filesize
64KB

Download
memory/2788-722-0x00000213C3780000-0x00000213C37F6000-memory.dmp

Filesize
472KB

Download
memory/2788-543-0x00000213C3530000-0x00000213C3540000-memory.dmp

Filesize
64KB

Download
memory/2788-542-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-726-0x00000213C3450000-0x00000213C346E000-memory.dmp

Filesize
120KB

Download
memory/2788-788-0x00000213C3510000-0x00000213C3522000-memory.dmp

Filesize
72KB

Download
memory/2788-717-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-787-0x00000213C3490000-0x00000213C349A000-memory.dmp

Filesize
40KB

Download
memory/2816-784-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-775-0x0000019DD9AA0000-0x0000019DD9AB0000-memory.dmp

Filesize
64KB

Download
memory/2816-781-0x0000019DD9AA0000-0x0000019DD9AB0000-memory.dmp

Filesize
64KB

Download
memory/2816-770-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-577-0x000001B634510000-0x000001B634520000-memory.dmp

Filesize
64KB

Download
memory/3032-696-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-658-0x000001B634510000-0x000001B634520000-memory.dmp

Filesize
64KB

Download
memory/3032-578-0x000001B634510000-0x000001B634520000-memory.dmp

Filesize
64KB

Download
memory/3032-576-0x000001B634510000-0x000001B634520000-memory.dmp

Filesize
64KB

Download
memory/3032-575-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-571-0x000001B634550000-0x000001B634572000-memory.dmp

Filesize
136KB

Download
memory/3080-755-0x000002559ED50000-0x000002559ED60000-memory.dmp

Filesize
64KB

Download
memory/3080-769-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-728-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-729-0x000002559ED50000-0x000002559ED60000-memory.dmp

Filesize
64KB

Download
memory/3080-732-0x000002559ED50000-0x000002559ED60000-memory.dmp

Filesize
64KB

Download
memory/3120-763-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-766-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-756-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-744-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-767-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-757-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-761-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-765-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-762-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3120-764-0x000002C59E8F0000-0x000002C59E8F1000-memory.dmp

Filesize
4KB

Download
memory/3344-806-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-804-0x000002B0295E0000-0x000002B0295F0000-memory.dmp

Filesize
64KB

Download
memory/3344-802-0x000002B0295E0000-0x000002B0295F0000-memory.dmp

Filesize
64KB

Download
memory/3344-801-0x00007FF857C00000-0x00007FF8586C1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-544-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/4064-474-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/4064-435-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/4064-489-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4064-529-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/4064-434-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4064-702-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/4064-528-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4064-433-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4416-480-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4416-478-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download
memory/4416-477-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/4416-476-0x0000000072770000-0x0000000072D21000-memory.dmp

Filesize
5.7MB

Download