44caliber | hxxps://disk[.]yandex[.]ru/d/CDxlGTqsr9tZog

Resubmissions

27/08/2023, 15:31

230827-syeh1sah99 10

27/08/2023, 15:22

230827-srx2sacf41 10

Analysis

max time kernel
51s
max time network
60s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
27/08/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/CDxlGTqsr9tZog

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1144111485715484692/W6-NrreN9sCTG1sx1mo0d2yLoDwfNnpdsyMarNWNlT4kgWHDWvgWC3whzPnqr8RkjttM

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3252	kamidere.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
216	freegeoip.app
217	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3252	kamidere.exe
3252	kamidere.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133376233569760262"	chrome.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3252	kamidere.exe
3252	kamidere.exe
3252	kamidere.exe
3252	kamidere.exe
3252	kamidere.exe
3252	kamidere.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeDebugPrivilege	3252	kamidere.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe
3372	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3252	kamidere.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4564	3000	chrome.exe	70
PID 3000 wrote to memory of 4564	3000	chrome.exe	70
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 2132	3000	chrome.exe	73
PID 3000 wrote to memory of 4552	3000	chrome.exe	72
PID 3000 wrote to memory of 4552	3000	chrome.exe	72
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74
PID 3000 wrote to memory of 2924	3000	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/CDxlGTqsr9tZog
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb0c809758,0x7ffb0c809768,0x7ffb0c809778
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1900 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4784 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4684 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 --field-trial-handle=1740,i,7430096637723544292,3222251448063234909,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Users\Admin\Downloads\kamidere.exe
  "C:\Users\Admin\Downloads\kamidere.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
fa9389de504ad17b7708d4d1d4863f50

SHA1
c87b0f45e1f6cf09fe0156401795581118517f7d

SHA256
caa19ed7b4efc8744a4526540474e0cf825411285f941a96eaebceccdc532b4c

SHA512
46d16adef43926f86923e5d2409b5e2f1107994231f8c5c25171b9c5983f5b0754ff5205fc0508824d2c31fbbe9cccfa63d4b9a4df3b7b8e42632638b787f759

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
fa9389de504ad17b7708d4d1d4863f50

SHA1
c87b0f45e1f6cf09fe0156401795581118517f7d

SHA256
caa19ed7b4efc8744a4526540474e0cf825411285f941a96eaebceccdc532b4c

SHA512
46d16adef43926f86923e5d2409b5e2f1107994231f8c5c25171b9c5983f5b0754ff5205fc0508824d2c31fbbe9cccfa63d4b9a4df3b7b8e42632638b787f759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
1KB

MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
6fa2f470c4f719ec24758c7fe136dad2

SHA1
d53d44a7f1c3871648556ecb7d2764ed7e5b80ad

SHA256
c52a276b4f6690ed2581185fcd47e869e17bbeb5bccc56beea360508c9b5c71c

SHA512
477346397bd7128cab4fa47701867082586591be80835d6b03001bb14dbb29f0f5e36c0ed84e7c3f8ba5c96bb59baea1ee117b6e974296deced17b181ccb68b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
250B

MD5
74679454a32078263fca223dcd24c942

SHA1
36853c0af5abcc022575d358ff4819e967860705

SHA256
0afc375f569d1677c717f2601ec601cd334444701bc2c0d8971424b126abf2cd

SHA512
9a980b12e97a657a4318194f28ac2fded0864c6f58941119e5a20324f34b4af63b4c6132a934bdef6246b3677927b4513366c113ddb4ded0a1ae36a17d364e4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
c355f65c1290d85e9d13272815962cca

SHA1
5ee29554f8b2a799a0a33f1ede8689f2693390ff

SHA256
2dad7ea2790fb803debf498c3b21de1bd8bc2112f15a8ce54f5179ffdb8de799

SHA512
ba6c2deee557834b3a95c7a368f9feebd8fc0a37b63d815e49343ef7a40294cb9e64899826397ef046115ff910690c08988cf29bfd0ce7d4de2886bd16bc4211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
58KB

MD5
1a20835382afa7b35d8d7715dca7f7e6

SHA1
f6afd2579415b151d3a8b05f6b5bfe23fd4e48a6

SHA256
87b42b461db0ef5526ada66617d413aeea35ac759d9981fae533896862310d59

SHA512
fdb755d5d72b9d9fafec7470afed743ae790290a414e28eefcb82a446205cd3f23bc8b8ce91a2f8bc7cde41e5b0bafe8a76bef3fa54c01f27520e6f44b180609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
a960754e7ad8a7cca595103f44d463fa

SHA1
28bc9216738c82219288482aad5d0a2b2dd93a43

SHA256
775d9aa7501485743943bc377b26b838d293e1c24737a921438d2f1f662405a6

SHA512
df73e34c91db6d9bf336b8cf328b5a1b83aa16b60fd890bb97d772dfe10249d73559acefd06917948cdfe8ea4fa0398faa409e5d8873a63612a353dc43a4e565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c739308f776dba817dc26789d279ebd4

SHA1
ee914266aa3db30b7f6db9086750a651032e867a

SHA256
9231083d628a08b576adf934193fd58824b1ac26a3a130fd8a68354893908bdb

SHA512
38d3bbf89082ea894d07265e24e0b6306ad00892aa81ba435bf0f69d55bf484929bb5362e6efd7dcf0a21cfd9b5a3fcbb4ae0f638b863850bed983d65da1aed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
515f905d36a8d1089957453d22e6e876

SHA1
7386b54c013031c0065a75365c65636b065e1439

SHA256
cf1f130e3f9c82ec6ea4e9efafd401fd27cb8e13d1a2fe02f1d420c729ae13e9

SHA512
eb170e4ffa5ec34efface6777bbebfd4cb9b5f1d79378525a49da9beb31621f1e5a20e3ef9b3fc3d5b4ca1a979e90e74112260f603fdd780bd6aae0beefcb96f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a8a765fea2eea3b33abb480a493ff360

SHA1
840e89ffad21ad22d6a0dcaa51fb9c5273f8e0c8

SHA256
4627151dba22ed986cfc704d6d429fbc13ae825128a5776cc0ecf5d395d7b55d

SHA512
1313e5c3d570e727c61e25f3a937d05fc649f67fad2aba55b3d395e5d9628c5622ef7a46f221d339825b7cc068e05406397ad07b8729a6310c89318ae594126f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d3d15b9cf054d9cd32b6de05f0bae421

SHA1
4e89464fe89a5419669a386285e5b9678f7e9204

SHA256
a539f668f07775109c503bac20bf80fea5dc9a59b6eb96d51289821deab7956a

SHA512
a01623118c60d74870a59824b97d9d8b699caedbf502e98826ad4f91ef3c32de886ad8ddf4c36da94ee3bff040b3624be1f5bd2c875d4689da65b6320b171ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c7623a933b7dc21be32688ea982e46b8

SHA1
7711e7f31ee315e4b2d9bd732a43ccd9ba41a742

SHA256
e34ca5a45702b7d4a73718970d9f13da054f7b36dc730f1934394a0e1764c4f4

SHA512
6e9867a03d0fd5655946ee0a519046ed9f6aae2c3e3ee75904dc513bcf0a9b1a8f8b11127650fb4ed56a1a1e88aa672a86a54c9373638af8b94ea118cdc110a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
90847e9d2e2224d3564b964a1a32f1fa

SHA1
9883dfa8d502de3611b39758e07d39b64502c744

SHA256
8b073d16eef991ee76343272a38f6b4b8af8f74bfc479c56610d08c19b3ef6e7

SHA512
9009aa42c135bf3e606b31183a7db42bf341630ebab2f743ee607aa9bf5cf372a50c45726d1a58a93bcee7df7a9ba06e1e1538d58ae2d1b0df6a1b126eb26542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\kamidere.exe

Filesize
1.2MB

MD5
7459066f56619d7465110e5cf08bf7ff

SHA1
cb2a865d3e3af9d17a30ec4957e564edfef657d1

SHA256
2f82f381e01d7c089f5af5a95a1d276cd349c3da56fc985024d8c5af17552d91

SHA512
07fb16334aee0388501410f89fa2c3e26641aa87234d32bb8de30f14d7cd4228a5792b39b775651d814cda314e78f0a01c2cfef8ae938d6dd42398ca2711b986

Download Submit
C:\Users\Admin\Downloads\kamidere.exe

Filesize
1.2MB

MD5
7459066f56619d7465110e5cf08bf7ff

SHA1
cb2a865d3e3af9d17a30ec4957e564edfef657d1

SHA256
2f82f381e01d7c089f5af5a95a1d276cd349c3da56fc985024d8c5af17552d91

SHA512
07fb16334aee0388501410f89fa2c3e26641aa87234d32bb8de30f14d7cd4228a5792b39b775651d814cda314e78f0a01c2cfef8ae938d6dd42398ca2711b986

Download Submit
C:\Users\Admin\Downloads\kamidere.exe

Filesize
1.2MB

MD5
7459066f56619d7465110e5cf08bf7ff

SHA1
cb2a865d3e3af9d17a30ec4957e564edfef657d1

SHA256
2f82f381e01d7c089f5af5a95a1d276cd349c3da56fc985024d8c5af17552d91

SHA512
07fb16334aee0388501410f89fa2c3e26641aa87234d32bb8de30f14d7cd4228a5792b39b775651d814cda314e78f0a01c2cfef8ae938d6dd42398ca2711b986

Download Submit
memory/3252-282-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/3252-303-0x0000000006600000-0x0000000006AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3252-281-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3252-279-0x0000000001320000-0x00000000016CE000-memory.dmp

Filesize
3.7MB

Download
memory/3252-280-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-394-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/3252-396-0x0000000001320000-0x00000000016CE000-memory.dmp

Filesize
3.7MB

Download
memory/3252-400-0x0000000001320000-0x00000000016CE000-memory.dmp

Filesize
3.7MB

Download
memory/3252-401-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-277-0x0000000001320000-0x00000000016CE000-memory.dmp

Filesize
3.7MB

Download