44caliber | 2f82f381e01d7c089f5af5a95a1d276cd349c3da56fc985024d8c5af17552d91

Analysis

max time kernel
58s
max time network
54s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2023 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kamidere.exe
Size

1.2MB
MD5

7459066f56619d7465110e5cf08bf7ff
SHA1

cb2a865d3e3af9d17a30ec4957e564edfef657d1
SHA256

2f82f381e01d7c089f5af5a95a1d276cd349c3da56fc985024d8c5af17552d91
SHA512

07fb16334aee0388501410f89fa2c3e26641aa87234d32bb8de30f14d7cd4228a5792b39b775651d814cda314e78f0a01c2cfef8ae938d6dd42398ca2711b986
SSDEEP

24576:BKJdi3xR7XX9NqdzkFxSEAuc3lKaMhzKukuYuC+:BCo3L7H9Md4FxSEAuj5MuC+

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1144111485715484692/W6-NrreN9sCTG1sx1mo0d2yLoDwfNnpdsyMarNWNlT4kgWHDWvgWC3whzPnqr8RkjttM

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
2 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

kamidere.exe

pid process

3724 kamidere.exe
3724 kamidere.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4560 5012 WerFault.exe PaintStudio.View.exe

flow	ioc
1	freegeoip.app
2	freegeoip.app

pid	pid_target	process	target process
4560	5012	WerFault.exe	PaintStudio.View.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exekamidere.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	kamidere.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	kamidere.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

PaintStudio.View.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe

Modifies registry class 13 IoCs

Processes:

PaintStudio.View.exefirefox.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PaintStudio.View.exe

pid process

5012 PaintStudio.View.exe

pid	process
5012	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

kamidere.exemspaint.exePaintStudio.View.exe

pid	process
3724	kamidere.exe
3724	kamidere.exe
3724	kamidere.exe
3724	kamidere.exe
3724	kamidere.exe
3724	kamidere.exe
3224	mspaint.exe
3224	mspaint.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe
5012	PaintStudio.View.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

kamidere.exePaintStudio.View.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	3724	kamidere.exe
Token: SeDebugPrivilege	5012	PaintStudio.View.exe
Token: SeDebugPrivilege	5012	PaintStudio.View.exe
Token: SeDebugPrivilege	5012	PaintStudio.View.exe
Token: SeDebugPrivilege	828	firefox.exe
Token: SeDebugPrivilege	828	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

828 firefox.exe
828 firefox.exe
828 firefox.exe
828 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

828 firefox.exe
828 firefox.exe
828 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

kamidere.exemspaint.exePaintStudio.View.exefirefox.exe

pid process

3724 kamidere.exe
3224 mspaint.exe
5012 PaintStudio.View.exe
828 firefox.exe

pid	process
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe

pid	process
828	firefox.exe
828	firefox.exe
828	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 2216 wrote to memory of 828	2216	firefox.exe	firefox.exe
PID 828 wrote to memory of 4616	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 4616	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 212	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 1680	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 1680	828	firefox.exe	firefox.exe
PID 828 wrote to memory of 1680	828	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kamidere.exe
"C:\Users\Admin\AppData\Local\Temp\kamidere.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ProtectMount.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5012 -s 4068
2⤵
- Program crash
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.0.933317450\862957837" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1668 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bf94431-2d2d-4181-8b5c-f419863076eb} 828 "\\.\pipe\gecko-crash-server-pipe.828" 1796 21f515dd058 gpu
3⤵
PID:4616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.1.1579034784\1278639753" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72ac8d38-e5a1-47ef-b6ed-5308a7861b9a} 828 "\\.\pipe\gecko-crash-server-pipe.828" 2152 21f46372258 socket
3⤵
PID:212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.2.1868470973\594806030" -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 2780 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9050d2d-f718-46c8-b25b-977f65fc5eca} 828 "\\.\pipe\gecko-crash-server-pipe.828" 2832 21f5156aa58 tab
3⤵
PID:1680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.3.420889114\1876841302" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0819f433-2522-4d4a-a8f5-81b2aef08b7e} 828 "\\.\pipe\gecko-crash-server-pipe.828" 3488 21f46362558 tab
3⤵
PID:604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.4.558090240\2071418172" -childID 3 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2650b9a-4606-4e2a-9b7b-17ee40c7446b} 828 "\\.\pipe\gecko-crash-server-pipe.828" 3900 21f565a7758 tab
3⤵
PID:2224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.5.1207069616\1809958482" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56da25a8-5282-444e-8b3d-ab9595c3a209} 828 "\\.\pipe\gecko-crash-server-pipe.828" 4840 21f5799dd58 tab
3⤵
PID:3420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.7.1533707963\758093089" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0f63e85-bd3d-41b8-834b-7199f98983e8} 828 "\\.\pipe\gecko-crash-server-pipe.828" 5152 21f57a97458 tab
3⤵
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.6.1548203552\868014355" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28372166-e29f-475e-b5ac-5e0559144b4f} 828 "\\.\pipe\gecko-crash-server-pipe.828" 4968 21f57a96b58 tab
3⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
82abe887e16f819d6cbedda25a3d5d3d

SHA1
09f3fff26073b722114ebbefaa4b474c7f7c2549

SHA256
034e5bf691cafe9b8681bc6587ff1331d1b1ee1a739769a206d526e675b0ebbf

SHA512
11efb3d1f6b3f77166868164322d6e05e0dec55d838accf6a756aa6c1e8fd4896f9acaded5de2efeff652d6c1bf305aa0ef62a1990019d05b6a92c67c314be12

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
242B

MD5
3b4c8aa83c447f5485247097f5638d3e

SHA1
c5b7fdff93d67f588b24e658dabe88b20aaf6457

SHA256
0493d256af37fa67d6d845f2cf328c4a977a785f85a4ba8e5fb74dd828982de8

SHA512
61b805bf107d373c9fbca0644a9db7ec931ae52eaaf4843aaffc7dd30e6d13e5194513e0c770ffa99c3c38ebb1529570aa91a605de1bae50b20f20a1ab5a275a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
735B

MD5
b70281f0df1902be546c34e9e677eb1d

SHA1
419bc4098e05ae9ceb1adf2220953e0fae11f289

SHA256
95612009f723678fbc1dbbfa0ccebfecf8398ac09fdf50fd02b31481a18a132a

SHA512
42d43835b0ae3e9e6a1c88f1876d00bbf7f826ade5489e80289a438f1079aafacb2fbd40920f75a0f59265842f2319fb1f6676d6471ad7a842e9529e24d7abb6

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
782B

MD5
ba8ba69de87ced03290ff1f84c7684ea

SHA1
c1ed76420a2df8fa3275332ef2e02c8c8c70ae23

SHA256
d40be3b9d8f373d8c716de3001afcb7476081afd640ef061e6a86927832f00aa

SHA512
96dfd0dca198004f69d1b91dd54698dcff8dea16b56c319ead2c31293d24c2fac3a1f5f232fecbe4452b7fa5829693bfd4c2248eacc2da8e4924a32f45875e33

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
965B

MD5
d79791afee5143ed3e3d4e3725a33f22

SHA1
0833c5a511b5b95c0b690b4c11480c27a37bfe14

SHA256
ba0f515913552bb36bb673cb8e454a55186bf469274ef1b6e268f285ab1e208e

SHA512
b42bc70aa4a1dad93c75e9e54d76be4ab8461fd4520bddd772850a582113e8529565598609b2691ca28daeaab21367d656d99b0cfee327f78080bc04c809113f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
929b807d8f238a5c2c3759a944cf64ae

SHA1
11a4230f99db2f466d8604d83299cc3aaabe9a75

SHA256
4b7d44e5b261da8de0818ca8415de83d1f53316ea6af8555f8c912cc74affd58

SHA512
806e59fa036dcc44630967f30c63552bf8ffa8f1eb3f0880f4c8ae6bedc71d2a74caca0669f6471ee789b8db27fc791a5197efa546f1a8c955e0b6c396e36fa2

Download Submit
memory/3724-6-0x0000000005EA0000-0x0000000005F32000-memory.dmp

Filesize
584KB

Download
memory/3724-25-0x0000000006DC0000-0x00000000072BE000-memory.dmp

Filesize
5.0MB

Download
memory/3724-96-0x0000000006D30000-0x0000000006D96000-memory.dmp

Filesize
408KB

Download
memory/3724-100-0x0000000000050000-0x00000000003FE000-memory.dmp

Filesize
3.7MB

Download
memory/3724-101-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/3724-0-0x0000000000050000-0x00000000003FE000-memory.dmp

Filesize
3.7MB

Download
memory/3724-3-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

Filesize
64KB

Download
memory/3724-2-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/3724-1-0x0000000000050000-0x00000000003FE000-memory.dmp

Filesize
3.7MB

Download