971ecbbd16b4202bdab0abd676cefdd9f983b6d600f06c17479b444f01b97253

Analysis

max time kernel
191s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Edge Stealer 4.0/Edge Stealer 4.0.sfx.exe
Size

143.1MB
MD5

1407c120c9886106007bdf73e03e4c88
SHA1

d11e1050b5d495174006e054df7f059799fd520b
SHA256

9e499b8665959e8df1eea5ce5e835895b8193b75ed2a04cce7a3639216cb74db
SHA512

c91ec5c3cd5f2c7083d6120c4b87aebd40a203d7e78e2bec4f48075ee1b1e27af728d50483b5e2fde55b23f7825fcef9029085a6b2f4b738907222dc0d5ba9a8
SSDEEP

3145728:y8UtABR8FkUNNC3cZ1IkZoY3ysYB4x6wAeVv+iH7bLY7v:FUyfsNNOlkxyTeV17vY7

Score

10^/10

discovery persistence

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
213.142.151.196
Port:
21
Username:
admin_edge
Password:
Black900...

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	Edge Stealer 4.0.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	winrar-x64-622.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Executes dropped EXE 8 IoCs

pid	Process
3460	crack.exe
1756	Edge Stealer 4.0.exe
4160	winrar-x64-622.exe
1640	uninstall.exe
4512	Edge Stealer 4.0.exe
3440	Listener.exe
3396	Edge Stealer 4.0.exe
116	Edge Stealer 4.0.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	myexternalip.com
126	myexternalip.com

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240729734	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133336010505053460"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
60	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3460	crack.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe
Token: SeShutdownPrivilege	4460	chrome.exe
Token: SeCreatePagefilePrivilege	4460	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3268	Edge Stealer 4.0.sfx.exe
3268	Edge Stealer 4.0.sfx.exe
1756	Edge Stealer 4.0.exe
1756	Edge Stealer 4.0.exe
4160	winrar-x64-622.exe
4160	winrar-x64-622.exe
4512	Edge Stealer 4.0.exe
4512	Edge Stealer 4.0.exe
3396	Edge Stealer 4.0.exe
3396	Edge Stealer 4.0.exe
116	Edge Stealer 4.0.exe
116	Edge Stealer 4.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3460	3268	Edge Stealer 4.0.sfx.exe	96
PID 3268 wrote to memory of 3460	3268	Edge Stealer 4.0.sfx.exe	96
PID 4460 wrote to memory of 1532	4460	chrome.exe	102
PID 4460 wrote to memory of 1532	4460	chrome.exe	102
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 3572	4460	chrome.exe	105
PID 4460 wrote to memory of 768	4460	chrome.exe	104
PID 4460 wrote to memory of 768	4460	chrome.exe	104
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103
PID 4460 wrote to memory of 3076	4460	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\Edge Stealer 4.0\Edge Stealer 4.0.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Edge Stealer 4.0\Edge Stealer 4.0.sfx.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\Desktop\crack.exe
  "C:\Users\Admin\Desktop\crack.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:3460

C:\Users\Admin\Desktop\Edge Stealer 4.0.exe
"C:\Users\Admin\Desktop\Edge Stealer 4.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85c649758,0x7ff85c649768,0x7ff85c649778
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:2
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5204 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3492 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4996 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5628 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5760 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 --field-trial-handle=2072,i,5459894193964701625,17306719174341010014,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Users\Admin\Downloads\winrar-x64-622.exe
  "C:\Users\Admin\Downloads\winrar-x64-622.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4160
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

C:\Users\Admin\Desktop\Edge Stealer 4.0.exe
"C:\Users\Admin\Desktop\Edge Stealer 4.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Users\Admin\Desktop\Listener.exe
"C:\Users\Admin\Desktop\Listener.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\Desktop\Edge Stealer 4.0.exe
"C:\Users\Admin\Desktop\Edge Stealer 4.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:60

C:\Users\Admin\Desktop\Edge Stealer 4.0.exe
"C:\Users\Admin\Desktop\Edge Stealer 4.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
18eeb70635ccbe518da5598ff203db53

SHA1
f0be58b64f84eac86b5e05685e55ebaef380b538

SHA256
27b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b

SHA512
0b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
eaeee5f6ee0a3f0fe6f471a75aca13b8

SHA1
58cd77ef76371e349e4bf9891d98120074bd850c

SHA256
f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c

SHA512
3fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
11d4425b6fc8eb1a37066220cac1887a

SHA1
7d1ee2a5594073f906d49b61431267d29d41300e

SHA256
326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e

SHA512
236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
45b004dc8e9d3a06b2b35e1cc033e9aa

SHA1
56ff32d96bc7d3e13db6bb2f1645bee00cebf6dc

SHA256
978ed6399ef07500e6f41fc016433cf2589067afd1a55df446e5b9cf208c25e4

SHA512
bb67fa59539f5387c6ff9b05f3be005958093ed08aaa24e8cd54236fec2de7451c9a97e570ca0e2b96e4a02f3601b2aee53a5165c1f583d6dcd47a9744e128c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ba13793d3fbceda439555faa35f65ff6

SHA1
f5349d4d384a92827c47c36c2ad925de46f0b71b

SHA256
95fbd6cc311835098c4981091f20ee40b8c9b524ec95861705952a53130ea451

SHA512
0870b8ef99b550866c7c4787ece740434c35382d0962d6787defacc9a7e6d710636b2f19d327f713b3f032f3572587e301cf0c38f11573a86c74b8498f72f105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
519afbb9eb6f2cf4b8c64b24efdd06c1

SHA1
ece4389810cd2b8d5464d72e64b42ccc3b9e4b62

SHA256
fc75ab09ff3d80913533575789b2e5a0af8e81a1ab0d16bef1268b3b89fc45ed

SHA512
88a2f1c78d3187ec559acba376e2371866e851de292a08a293103499e653deef4e07f7911fd1a201ed184f615dfb89b46a053a079ca1e5077db61adaafaa72bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
8d921d59722cd4beb77f39bfaad9e8ab

SHA1
d5612fd6598a640762fc3262a2d5863f5135d287

SHA256
9132e597736058fff0bd3afff3f37ebd4573b4ce6b1eaed6c3e50a34d69da1b8

SHA512
a21cc1658d712976514291d2e11e7b2a3c7b1edb7cd9edf80838f8475104f34269eb1c226c0811dc0750d1de7038f6a732bbd93cb32bfd0ce042508ab1598ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
d2d38af727c8a27e6be586d34e91402e

SHA1
57be0ea9a7dfea4ef44dc583353db2f23a909652

SHA256
2852be661293f931c2828e4edfebc65f1cf0b45047ca44f265996f5316692df2

SHA512
1b33a3664f05e1b204767d7ff3aebcc2ad7fbd586a8dd9c6d33f5c0beaa501ae020ab9f8f218cb080b7a999d1bda0827e3a9d804a7120e213ec9cd74adc6fe0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
9848c3ce5256ac58e9687e1163c884e4

SHA1
ec45438adec70b906aa5c1d578f5265162f82efc

SHA256
8ca316834c1239a7b9f584b86f083ef1a67da7191616b640dbc508126d254882

SHA512
2e2ef391b407dae063625ba9d5f00cf3714d6a8d02f3d980ab4d4f3736eca16f6e90149d8167b1cd3b5ef3c69cdb2d5e685e8993286084a5ee8715fb56000ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
988390ca83b193c6f335e88434798327

SHA1
68fc5cf5c9c42d63dd0b6100e05bf86717b8ee5c

SHA256
30b4320a595752d3a4c7e06b153b63acd72da20a8eebcb4164246ba1251336b7

SHA512
56c5d1c3e38b4ac38c4b73ad4feb201cf383877ae9ed4b572e685bfcd91ac8008e0964001596cc5e481799725ccd7f2b7f1217fde76177d3aaaf1866b7245826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b0f28681ebc7f94b86cb6476d38ecce9

SHA1
f15bf91ac87bd450dd38f5e8845e8ab699fef732

SHA256
9f7fa418a0e1c141f053b80313cddfa200d8db277871fc9acff0f8ff0d6d631c

SHA512
41cece9cbfdc927b22fff97d7dce5080bb04edc187b2b9a7c0eee1a5b35d83aa379bd318acc5c9a56416ad923df60290bd85716d1d9c88be7509f957dac55d7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
df54d471a6bce909bbd2f9d5f9c449be

SHA1
50ad62a329f14fd74ca666128819f6d0d172dbc8

SHA256
db0730f258b497a3bc5e1759c8210c7dffb159cb24b0656d88852fe20f664b78

SHA512
de7b89a739557d26c7aedf3f553848c78e23a41c51dd831279a97afccbcc5ede58906ec7ecccccd1ad43ab893ca6dca4489d3e48f535fba8be740f55d823074d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8d5840da94ba3b911408f7ab3b579392

SHA1
ba0517a982fbb256b09c0772a17bbdbfff578cf6

SHA256
00f28174f39152c2bf8cebd1bfe5d3383a01abe991e3d30c35b1820981fe2d05

SHA512
07ffe2e5590741196482185ac634f691c07824cb262408b354d29ac0258a8fd95c01e866367f5868ae98e69494268a3788a2530054b997aeb870f54efdb8a0d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a89a58496b01c1a06d28087b3d8ce72e

SHA1
481395e53e97ab01df2543ca5e0cf4db75e3a915

SHA256
33d278073266d26350f976cf1d884b2aa1fc4c8b68e326e8e4188c937af25f12

SHA512
411df5c966825ce5c1b10a80ab7fe188ff396ba8719f2c1f3aae468d25f5cb22dff1d972bc394ef5e7404feba0b34cff7a464c41503535911ff2943fe6dab938

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
bec845d449958a20aea5618b126ec9c5

SHA1
a8d34fc708b48030938690bde64dc7dad3e3d4e9

SHA256
d4330f9df88302943d241cbcd8fb923d63aaf36f92fd66eb6de4d0828704ac04

SHA512
b65bdfe0ed893422570be2dc94f6e8a4cfddc11469cfa36cbcf71533220c80bdcd109b2e9215cd9dc11a83b2067f823ee6d2aeb37638ffffdc8fc66aed6f91dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
08584d9b22e96e1d8ce377ce8efaa1c7

SHA1
9a48c374a672bc774c61650f1dd772a288553388

SHA256
a0b1102c4a39dee66dd5c1d840098747ed811c70e682fbde96792ad20ff22e53

SHA512
727341ea983c1b3308f734dcf8f2a022f3f7b21ca3ef5eb6cb1c4a5d40f49cc5f88d2ba426493c8a33faa65c255e899473f19a1e9b6b8a2319aba50604c1f2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
3f8097ec58166c0d9f9ae94a1837229d

SHA1
6f23c377c841b4bc2047048503ab813edf83adf0

SHA256
b60f2c8b4615fdf0b19517e9ffc6f11c75a888ae3fa92b6cba2903f2a0384396

SHA512
5d6b161e75f4ffc64c9e084a432f546d412727604e1a4069e25124b234a1e5441e7868972bdac73556dd28742dcf9d30a1645969d8c934aed087ed15a019a378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
d0afee374dc09a61523e5235cd99f1b8

SHA1
ee31dfe5f35e2d5dc6be2d8f38de4d4578abb198

SHA256
2baef44713c221e6b9e94a9d344adc12658dfd4cd3ad0463cdfb8a0ded20d8e7

SHA512
3e68cc7b6086a329d98442bd953c6695839d60061ad330c5f36eadf8d43f0b503cc64c0babc53287ce0de6318abfcc969391cdd2be879187186befce6b2523c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
cdc7a5f687ef217a1448698254a86a79

SHA1
a9f4b97321ac5dc568b46c75355da7a55940fd42

SHA256
2fa87a9df8daa9f0708c38ee62c2dcbe53dc4a20d5bc9a0a77e69a836d0bced5

SHA512
6050057cdbc9942fb5df4f1af2d16f41584531ed3c5289fcf4c23f7405fffe55b50f18508cce9d75313ea246868382261f40f4baccc3e482f23ea4de2269c880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f22b.TMP

Filesize
98KB

MD5
aebf6fa6fc352f55a8aa9209f7e0e2a8

SHA1
372dfa3e6dc3b816f8accb96d738b5ee97927569

SHA256
7f94b1476ef85ddcc4db0a2a093c104191854e3175b412bcb5b67bf0dad00188

SHA512
156785d8bac4d45008f77bb4f1c3dc10e2f2409793095c1b9c922e87936afbc0756385407dc94695a76d15f997b1d41ba3695ab6412b759ccc97d2409ef9b3ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\key.txt

Filesize
58B

MD5
70c681992bf5aba12e7a808dc7de7a69

SHA1
b407a1fbc0a162adb94ce40d54d1b9f258d978c0

SHA256
a3bb3a7a04942d5452050fed5ffbe14435b0573ce2a8cb4979eb4e44001a06e4

SHA512
091f686f483a28d294b5a1f1d25ecd7928d4f76c999e452b935b2ce8a5090db2bf18157cbac1bf5ecd419d5010321c753cc9e26a6fca4d8566be56de1c69f394

Download Submit
C:\Users\Admin\Desktop\Edge Stealer 4.0.exe

Filesize
143.4MB

MD5
3129ba5f85d664f70cee1e74473f5e02

SHA1
9f282c55f68976cca225dc454d64df1570cab189

SHA256
b4c6c9230e58fcd93f1ca508a1eaa063d5091405d824911bd30c4e370a1b7861

SHA512
279ee22c798527696b41a64138188bf8a67311162d84519a56123ea2c016d40fbe7bb012b825ad6275afe859b6f63c5d16d2b932abacc81b83b94a0cce75debc

Download Submit
C:\Users\Admin\Desktop\Edge Stealer 4.0.exe

Filesize
143.4MB

MD5
3129ba5f85d664f70cee1e74473f5e02

SHA1
9f282c55f68976cca225dc454d64df1570cab189

SHA256
b4c6c9230e58fcd93f1ca508a1eaa063d5091405d824911bd30c4e370a1b7861

SHA512
279ee22c798527696b41a64138188bf8a67311162d84519a56123ea2c016d40fbe7bb012b825ad6275afe859b6f63c5d16d2b932abacc81b83b94a0cce75debc

Download Submit
C:\Users\Admin\Desktop\Edge Stealer 4.0.exe

Filesize
143.4MB

MD5
3129ba5f85d664f70cee1e74473f5e02

SHA1
9f282c55f68976cca225dc454d64df1570cab189

SHA256
b4c6c9230e58fcd93f1ca508a1eaa063d5091405d824911bd30c4e370a1b7861

SHA512
279ee22c798527696b41a64138188bf8a67311162d84519a56123ea2c016d40fbe7bb012b825ad6275afe859b6f63c5d16d2b932abacc81b83b94a0cce75debc

Download Submit
C:\Users\Admin\Desktop\Edge Stealer 4.0.exe

Filesize
143.4MB

MD5
3129ba5f85d664f70cee1e74473f5e02

SHA1
9f282c55f68976cca225dc454d64df1570cab189

SHA256
b4c6c9230e58fcd93f1ca508a1eaa063d5091405d824911bd30c4e370a1b7861

SHA512
279ee22c798527696b41a64138188bf8a67311162d84519a56123ea2c016d40fbe7bb012b825ad6275afe859b6f63c5d16d2b932abacc81b83b94a0cce75debc

Download Submit
C:\Users\Admin\Desktop\Edge Stealer 4.0.exe

Filesize
143.4MB

MD5
3129ba5f85d664f70cee1e74473f5e02

SHA1
9f282c55f68976cca225dc454d64df1570cab189

SHA256
b4c6c9230e58fcd93f1ca508a1eaa063d5091405d824911bd30c4e370a1b7861

SHA512
279ee22c798527696b41a64138188bf8a67311162d84519a56123ea2c016d40fbe7bb012b825ad6275afe859b6f63c5d16d2b932abacc81b83b94a0cce75debc

Download Submit
C:\Users\Admin\Desktop\Listener.exe

Filesize
5.1MB

MD5
5af0d042e3cf2b15a67ea1e9481d9785

SHA1
2e91a049bbb0f5e036736b6abb5ef67f3a75d6e9

SHA256
a4d6f1b7367f85d2b350315a18ae4aca8d67dfc82d3c3c9bc5637e143b3b5afe

SHA512
a69add68d25ef5f24832f469a99bf75b36d8538b78e592ed511ceeee17e331fdb9df67788baa704aba0078781b70a5fb77cd0e14517fbcb28830e8940f9bd1b6

Download Submit
C:\Users\Admin\Desktop\Listener.exe

Filesize
5.1MB

MD5
5af0d042e3cf2b15a67ea1e9481d9785

SHA1
2e91a049bbb0f5e036736b6abb5ef67f3a75d6e9

SHA256
a4d6f1b7367f85d2b350315a18ae4aca8d67dfc82d3c3c9bc5637e143b3b5afe

SHA512
a69add68d25ef5f24832f469a99bf75b36d8538b78e592ed511ceeee17e331fdb9df67788baa704aba0078781b70a5fb77cd0e14517fbcb28830e8940f9bd1b6

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\Desktop\tutorial.txt

Filesize
1KB

MD5
746b822193dc3a53ee2e8a34f1de9238

SHA1
401fe395c98022a1718f7a6fc44a5608d4e5fdbc

SHA256
07ebdad83e98ecce74952346c95173dd71cfb8e0873d26751625a8a132c8d743

SHA512
b72a6c735ff89c9c9a2fd60531176ee4b594663fec246e58383d200779f3ccf43ba244a82c8ce81846d729f3592e5b8a7c939378686ef2f8ba89a45ebe7ad5a3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 239202.crdownload

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
memory/116-600-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/116-598-0x000000000B460000-0x000000000B461000-memory.dmp

Filesize
4KB

Download
memory/116-597-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/116-599-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/116-595-0x000000000B460000-0x000000000B461000-memory.dmp

Filesize
4KB

Download
memory/1756-156-0x0000000009B00000-0x0000000009B01000-memory.dmp

Filesize
4KB

Download
memory/1756-157-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1756-158-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1756-160-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3396-590-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/3396-591-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3460-159-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/3460-150-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/3460-153-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/4512-586-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4512-585-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download