330443e86efd23fd22c62a1fb09b86e1caa94e017bab089a92fb41e28ae9ceac

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal-Stealer-main/builder.bat
Size

57B
MD5

c856a1995fa86d5bf3dde2a2de732d93
SHA1

21de21d0ea29ffb9f3061b5d81116408dd228cb8
SHA256

23fb3df8dca77c02ab3d76013b6e12a2a1fda1a93ef675211c77df9ec6ce39bd
SHA512

793fb9e4d8b146a4e8d6e0dfa2d756ade17143420215f6b10646758bff39df964f6fa29761b4c6755dac7d1f8aea81152ac615d5b91bcea6018f997d0ecb5715

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3700	msedge.exe
3700	msedge.exe
3648	msedge.exe
3648	msedge.exe
2312	msedge.exe
2312	msedge.exe
3196	identity_helper.exe
3196	identity_helper.exe
4024	msedge.exe
4024	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3000	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1544	1548	cmd.exe	78
PID 1548 wrote to memory of 1544	1548	cmd.exe	78
PID 1548 wrote to memory of 1544	1548	cmd.exe	78
PID 3648 wrote to memory of 4896	3648	msedge.exe	81
PID 3648 wrote to memory of 4896	3648	msedge.exe	81
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3684	3648	msedge.exe	83
PID 3648 wrote to memory of 3700	3648	msedge.exe	84
PID 3648 wrote to memory of 3700	3648	msedge.exe	84
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85
PID 3648 wrote to memory of 3016	3648	msedge.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Creal-Stealer-main\builder.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python builder.pyw
  2⤵
  PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1a093cb8,0x7ffe1a093cc8,0x7ffe1a093cd8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,16026315718712015413,9306203740083843553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4716

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bb88128b6b2d63f04c36ce68ed52d0a1

SHA1
29cd0515976a9249fc96a9d77c9986238cd1c2da

SHA256
19341f9fde32349d43cf9951f118ebbff856499e0e6875101eaf2db37a7d7d8b

SHA512
ab3071e116a32fc105a868fe9f3cd11cb282fc6cdc1e101b09c7f6269502f98b34b2f0a2ec32eb2b537073e2b20bd22cefd2fdcd4be87f8b169e6eed3bed1ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
006ed76fe49f77736a98488472a47eac

SHA1
8e861b9d3ea5f61a5d80dd0361af607af75af165

SHA256
fe1df720c50a875ebaa692faabf269316582345f40b699196402fb34734260e5

SHA512
29b1f22403d3ff9dfc424c4cfcf0983ebfb509f1881c78cd0e8aa2a15688e95a74b9b184ce81bef3f86b48f9f0ceba4654068c3dce8dc656c8e1f4cdb5cfedd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
3142ce2b11599d9b9cd317c37c3e6610

SHA1
fb8b34e703fea54f21bcbc1e510154e7353ad6a5

SHA256
83c5fa745b8cb6c903d42189444deb66b45028667c3a7d2d9cb943f8515d8e96

SHA512
9b81de43345f729b3949239472c771643583f882fd773654ec4e8aa6459b1eba3377c2e1eb1eb1842fdceb9eb834c2fab94f9b0a5916a00cc6ebd91f02404e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5982794c9267a5a5e233e8cb0afdc775

SHA1
40c92c70bf3fcd471827ed7b1888f3ee3a0fec40

SHA256
0ddd376839ad91374608cfaf3123813e381f823c845b4994a9c632c3dcb7f39a

SHA512
37bb01bb5fa37abc1b16b652b625e0ed5987cf0c9d770dce1111ccd0086f5c65d660e6f83a3f03a68c63e56e9ced102c9a9657454fdcee1fdc6bab931f130f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac6a275afea89cc0440160bc7bec6509

SHA1
4409d79e8fad660d9e7de38054917643020d9dc7

SHA256
a7b7b2044f94687373c25f03c03ae4a407cc38185fef7cc144c6ef0afe28e2ab

SHA512
fc7fdcba49128f94687b29a0e6b42dc424a25facb8b561162f64104bb94bbdb82a0b6dcc3eb50d0ada36712f885251a1baf128f228eba1a289ba0783b4650e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
197453f848654249256bf50bd9be411d

SHA1
ee4da7c7347f60a3b62c24a7bd9d8194720d17ee

SHA256
4e536899aa3069112cf912c0cc8f44ed81c98fdcb017dc53cc0bf90dd600175c

SHA512
3c79e6916d6813085d1661cbc3c07019f13905442fa8d467cd7dad351bfcee7219358385973175cf0343607532bd7600fee7c8b4c21c5535daf33fcdb90d6d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
87796f83a580ad1059639b7b6f48c978

SHA1
3aeb3452c1d42aa82dcc46fac0eff546266958ca

SHA256
ca9281ab005e47fe20e132b81ccfbf7a5f0e6d845cd3412129bcb07cacb1397d

SHA512
196d07ff37bf35b583ba80ef92e0277eee328925a77accb3dae1ca10a356a7924f49a7e6233db1b8b320eef6beeb9677ee7d642dd4bcdb2f1343cfe84fb186cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6450bb30943c6d0913f3cf30c5b827d8

SHA1
9233ff999c6b9b054f069cd54298059975b3a790

SHA256
5a9f30a50371e25ae231b497443194320a84a2ce56f90a54d1a73fee6d3f2388

SHA512
519a67065aa66cbfb469aa19d7f150b036923b4743f662fd033abb9dec1f1b5b2c5be34b67d94b600898d8a53dc426b904c7de7d125b15277462dc5efb662883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f944.TMP

Filesize
874B

MD5
99626f713494b8dcca638de2e79eef09

SHA1
0b57d8c8f318922165196748c3776a57c406631d

SHA256
ecc66af5d3d25b61fcea88fc277754187ca3f1b28d4a6215b44a66d0e3326658

SHA512
46c9931c130644ca8cb4157fc550867262170eed53606fc56564273f9e872c072129207c7c69c2dd1fb42a47807be6600ff4f7166b429b912830ccbdae8518ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da32f82a-2962-448a-ae72-8552f6723356.tmp

Filesize
6KB

MD5
524c8198deff5022d02e78c124e638cf

SHA1
793c59c050b61a9a9bc8787793db6a2d5c030bdb

SHA256
4655f5d559ad5c27799454d3a1b150ed78b4f81cd2f02097251f0b498f81218e

SHA512
cc35c7f74a1683c0e38e824891e81180be301dd05b04db5f89ce57c35c85b84e0a5011ba3bc6c5fb86773ac4e5b25106aad662df13acd05af33d3dd3a196e38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb68755c52d7899fcb80fda7b980164f

SHA1
ee2eaf87e2321d0f8650e5e177f273b82a360fba

SHA256
643fe26f7c40e94ec2c2abb8babb7f70359f069f0b2170a84d746a0f37fefd67

SHA512
882801585d2f6316b39de016bd2da0f18fbee9aa366c1842b733d97e030ca1781d09cf6782f80744dd8fbdda82bee5141aa7a2aa8c668ffb0712ac3503ae75ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
170717ba9b90701fce26732f569a200c

SHA1
73d83e8a914fb8df00758867612b6cd9c98b8125

SHA256
c1e5a0516e443ef57aa63420d482daaaaed184433f3a0b9a9edf82aa77a65cb8

SHA512
a8729bae9fe51111c85acc58802e7c071b8bf069db63734fb2f9c1d4811011593c82ca8d47a4801eb1e0919f82485f98735c2d853e3022748a82db360f7ea8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4fdaded42e1f298959638b924c8499f0

SHA1
26b9880f05853d5176348a9707f451ec4271d533

SHA256
2af9c83a0de253324ab8243f289f1d87ca628aefc21d7215597a19bc3bf4d8b5

SHA512
5ad7422b989bb999da250e5049e9470ddd917d46e25515b116c107178f11010a4f63dba4f61197846ad8a6bc390bf14abee46b59ab53171ead5031f472808483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
49e6cc5efb187f556d9abedbbc05a83a

SHA1
7036a45eab17d0926ef63ebacb8254c1e46ceace

SHA256
71672d2596852ec70e371aa2d053dab4c2ab10ea69145d40deaa421825ff87e6

SHA512
6f55d676bad22bad10f6daec88d6780048f4a365f4f562156ef47452ae53747cb4ada24e325a75fe7b333d10bd9cd7816e74c2c6ee567fd95079df357c739091

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
491B

MD5
d090ed6a598786bf635a9e32439a5c27

SHA1
cf4720439b820dfa5c1940ff55f9521bb0d2fd50

SHA256
f2612e3df6faca49f9d7998c05edd7a4be794f54dcbd4ed2b87af9079779fd98

SHA512
23a022fd5921b5d8ad159c395d644a8af903f5f2ab16cce410f37f3bfcad00c0de9761ebc0418c5240dfbdfe62554948d5d6dadfccf553d0460a020798a576d9

Download Submit
C:\Users\Admin\Downloads\Cstealer.zip

Filesize
442KB

MD5
f1588dee158c088ba14a31fc33c2939e

SHA1
0b776d41a6e048d8be953b73c12c09a4d22489b4

SHA256
330443e86efd23fd22c62a1fb09b86e1caa94e017bab089a92fb41e28ae9ceac

SHA512
262d9e39ddfc4438a74023659dc7b7ec1dddb547db46a1cef5aa92190905b870550689ecaa8ff9eb8794b6a231d8091dacad1ca0967771c947483e333e832f57

Download Submit