44caliber | hxxps://disk[.]yandex[.]ru/d/JN-LxzQEH_gfVg

Resubmissions

02-03-2024 14:48

240302-r6p42sec9w 10

02-03-2024 14:48

02-03-2024 14:39

02-03-2024 14:30

02-03-2024 14:29

02-03-2024 14:13

Analysis

max time kernel
342s
max time network
340s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/JN-LxzQEH_gfVg

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1213470089370800169/n0cIp20zmoXW96bm3kmEEDF8S6ayukwO6fCeFq-6ll6NW6LsRhdA972MVTaBHlihjCVc

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5104	extend.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
116	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{42726BFC-8CD6-41CE-BB6A-C51EF2E8800F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 396522.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
4592	msedge.exe
4592	msedge.exe
5060	msedge.exe
5060	msedge.exe
3664	identity_helper.exe
3664	identity_helper.exe
5924	msedge.exe
5924	msedge.exe
1400	msedge.exe
1400	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
5012	dnSpy.exe
5104	extend.exe
5104	extend.exe
5104	extend.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5012	dnSpy.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	dnSpy.exe
Token: SeDebugPrivilege	5012	dnSpy.exe
Token: SeDebugPrivilege	5104	extend.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 5024	4592	msedge.exe	89
PID 4592 wrote to memory of 5024	4592	msedge.exe	89
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 4920	4592	msedge.exe	90
PID 4592 wrote to memory of 1488	4592	msedge.exe	91
PID 4592 wrote to memory of 1488	4592	msedge.exe	91
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92
PID 4592 wrote to memory of 3136	4592	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/JN-LxzQEH_gfVg
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2d6246f8,0x7ffc2d624708,0x7ffc2d624718
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9359390699662992313,487693561278300116,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5320 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2128

C:\Users\Admin\Desktop\dnSpy.exe
"C:\Users\Admin\Desktop\dnSpy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5012
- C:\Users\Admin\Downloads\extend.exe
  "C:\Users\Admin\Downloads\extend.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
55KB

MD5
6d8f9921a63536dedcf15750034246a0

SHA1
21341ce07711d86386f6b12cdeede8e277c94ead

SHA256
ce6ad02ba3020a190452d69867165ed73230d2108c74f608fbb7cc7ada4c3f72

SHA512
2fdd4929f8dbcc57ddb2d3328bebe58dd46cf8edfdee54ce3cf81e115172a164c60b79f648442e5940cc7848ae67efe9ddcba48e012542e533835718874d9a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
31KB

MD5
acd3f8bcdca044e4382c0bb6246b0234

SHA1
1c83d89a3c40835a82f06e6bea0af86f52901bc5

SHA256
cec8af8be960f3b13ad0f554c338ab88688ae5b4ddfcda5471fc8268ce66db25

SHA512
3cbf100cc72f4a63c7aebe0ec029fc3635b97addbb0a4e83febbd127e00ff1455fc0b4cb90839f3bec498a7cdb848d8fde4d6991cc6a1f479669e70ad220b5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
1.1MB

MD5
f07899b2fa8398870c2dcb5d7fe44fc5

SHA1
6efd418ec9d45e731cf848b75b52cfb6124e773b

SHA256
732fe8afbf4fda320d34ed9bb0d4d4f5525879ed87784870face53eb50ffbaeb

SHA512
0b30a0d01277d2f3abcb85f3fc16be3b07fd826e9cb523b73fd9e45bc5cacab03e6f0486ce84cdeab01adb70810d6891d87dae036e525959a4e97114588a900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
790de8d15771d4bcbdee2e4a6bdfadcc

SHA1
67801103f486f44b52ad9e75e0d02c4247f79ca7

SHA256
d56f700ac8d7c659d12279c928f875af6a8d592045067d034343b3b9b93e7b82

SHA512
c535b73e5a4cd32c074e4b97e5de25c5bf4e5c3a84d05f749c3e31cb5cbcd4eeae780d3f6206cb7c1454907f905bac666fd785c23d01d0d1d0042ac1aefb74df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1267ccb9c36d2bd6e765f0d0fc0e31da

SHA1
efa573caad1fc4efdb5fb6cd296c4ef7b81c10f7

SHA256
b7ad69f14481d707b13fae3c8bbd905c58c72e62a341bc184cd82643437c50d7

SHA512
599ead3e79f78fd8ccc6da304280c70ccdd83cdd70919800e1d1a5b35ad44117424482cf18b98dee32b3fc659b265a7d4998ebb6117fc034f09480759f5e19f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
04f70d2662295ff4dd93efdbf35e6e22

SHA1
37e7b6f142a83742ed1ae4874c46895829e6bf83

SHA256
a5327aa87efc1cadd362d32bad899a586d2ee7458df26aeba08cf5fa79eba418

SHA512
8816f488bdb0dcf378f50e2d2bdbb650f16c52d9011758d2b48b573098da4b63f00b4f7a3a04c85d447f0b0c4300f53bab236dd0b9d0c11fec0ad3506da790fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b65a46f07d34a1098db7d823b47c28e

SHA1
cf9a99113060e9c319190602b5193adcef0a29e9

SHA256
b1d42b04b57f76910a2beedff68a7d3b89e8b2280cc5ff1105f00040e4a82e34

SHA512
27e7215f1178b59fa6ff00854f6ec7fa37a1299b28171d05e8899681efdd772a738584a0022d63b3dedac38603aeb5e03a3d31ebe61f3148f612b57ffdcf6ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c24fd45dec33c7fd71862f87b2a05da

SHA1
1a1863dd65f66d1e3cd99d23c67b1184ba11bb28

SHA256
4a2e7dcf51e1eaab0b3e870046366bbaea23d40f0767e11aa120d07113945726

SHA512
ecf777bfadca959109e1c820feec37605f76cfb9b59bedb65ca89f96168984b174ff5dc50439b828311c6d07e89ea098d0095ab8612e9674b7f7254bc8ae4d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2dcd8b12cbec30022228c3adb97ad7bd

SHA1
bca4dc0a29723e029f6b0c32756b102d09e6af33

SHA256
513cef3008edf0c4820937710810932c99649cd87430b35b32b1aa83298367a3

SHA512
52a86ecde052e50e093654025ba3d814aa4c932be7555e0e6165f2cc5db22409fddb6b107f9814999cbc01f0cd58b5e44da1ac9777af3d7fe5bd7e8980680650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e23fee24a8e7b0afd02a50f5374df07

SHA1
840cfdce624e688782b4a293f7e0c92823b4444e

SHA256
4225548584a22b49c01ee06e6d3e696358f2c372ed0b3e65c828ebbd742c8dd3

SHA512
25b4972073d6b91bb4e9183c1b3b5322a7da8325567d6ddacf139cdfc0a0b1ecb45818ef6d9006ef3ba95ed1b402443537d82ce4ea117121af5c304e3c55688c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7fe66ee99c8b113551a6f67974f7e2e5

SHA1
26ac30eebc4cac79bedc8a701a6a326ab156c745

SHA256
8bd566eadc27a7c92aabd608ee0fdea14a90b494ad615563c9f653d38b12b891

SHA512
b96a59771fc934559b5e619056d770c9003b7fb1418a71ee05ede679ca721d94114dcc23b6de0eddfe8be10a2de88dc5c7f3fece08ca50a3a9ffbc8b47cdea2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4a17ede44f594547448db4a407a762cd

SHA1
537c5da6d6d759d984737e4e406c0a7c23a45fca

SHA256
1e0a2efb6a16965142211168c83258cf078a81b7e0cf601b00bc502ee43cfcdf

SHA512
f8f1d905ed1c1bb4f7c894cbcb26ee88b21902b3e8c75a4c5b3b1c19ee5859736d7f3c667f24e4c1a51780c2be2843b2961f3db537cc0c6ffad14ef70a0c6553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a1582441b076e9a1e72a734e69e0b955

SHA1
85db0fc1e8dbce31e233d4a4148fcab6593eca48

SHA256
20bb2020e70851beac7a406b0b60bd919e8ea9429abb202fb387e6c86c470560

SHA512
2d43be543e8c04ea9c1c8acb02442f0779065fa691351d5d79773148b41ef84952e684ec5478a85537b1a896749c7bd087896a9905c307115a5454fcac3d0265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e8b288fdf088f58440ac01aea2cc099a

SHA1
88020d6425c46ff46a1c89836d67314838a80385

SHA256
19204dbc4986132bf71e02395a8d8ab5ed2560a0834ab8dff6ff8857a2dc2ba3

SHA512
fc888386dd73a365f5caa1dbfedcefa61eff6eb972b94b4e13ae29a2ae16584641b927558ad477d662bf7469f011877ffb2d1766296bf03d4eb438b6a7aa44ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57acab.TMP

Filesize
1KB

MD5
77e8e278239b00270e7393965ca37c60

SHA1
848c8f710af2832f844a7a1d54723bbb8cf9d207

SHA256
df880f661f53d29b8dc863ea540fddfaf7fd9d8daf49e1b18d470f2d2535f149

SHA512
905b6ceb0751348d1546cce582934b5f4028b23df4cebd8951f90cb8c740c4d3c70f3b259d897ed2ad56f0890352317c0e3e023a65726779c2734ce4190e824d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab1530cfa4fa1c23b9c2c0afb7aef93a

SHA1
71e5b93c55536db272335cb8d6bbee7bf6299b68

SHA256
38f6c54cfded2a0c237be9f20c7af1adebc90507e9404691c02b146586af668b

SHA512
efc15e1c71c61570ec4ea519e399ad37d8f1c34a8569cdcc8819889e07e1e2f0f075b8d3a4888180d4c71f455fb8718b03e57f3387d4956dae8881a8f83e8e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
60b35b762476882b50aaf58c267ffd05

SHA1
8054681c6b4943bf47c8743a0a0d698498852948

SHA256
f30ce9acf2cba05338e6709c132928d77178bce15c9dd9e2cb6a4954a5e03ebd

SHA512
c7f3217022b36dc5bc7af8b375e4100f021486f3cdcd1cc515051530c9cdcc4d91d40e65c7fe9ffa9424811a0c7650b8c823b249dd71a0c54aaa9e136a615d5c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 396522.crdownload

Filesize
273KB

MD5
3f62061544094b6aab3728177e20a8d1

SHA1
a0497e0f63b96eaf206b91efcde95426b956e079

SHA256
69cccf88eedbae6a6a4818d587d3a5f74b5bfae56b162a9a551f5879f91b9261

SHA512
29d9b13fbda73522dc2c54bd246cfe2b3c67519e1d36c8e542081647457fbcbc49fe09cac0a2624f463dfc05cfee6282d0db2f1b22886b645ac29ceaa60e0664

Download Submit
C:\Users\Admin\Downloads\dnSpy-net-win64.zip

Filesize
55.8MB

MD5
391955e711e44171188ee49538af97d7

SHA1
94e91efa9943c03b1b9b12555fb53248ab90d164

SHA256
1ffc16cb0eb3cb0e92d9731cee06b1a471e6871dc6677922ebfe647afd84cb51

SHA512
a78b33f36921c4181a42453582e110d866de4560101dfbdd07b4c18dfcdc827bc86371f087046d5a22efd3623582a0a73e984158d0dc2ea60154c4e4f2f0648b

Download Submit
memory/5012-827-0x00007FFC1A590000-0x00007FFC1AA94000-memory.dmp

Filesize
5.0MB

Download
memory/5012-844-0x00007FFC1A590000-0x00007FFC1AA94000-memory.dmp

Filesize
5.0MB

Download
memory/5012-845-0x000002AD7C510000-0x000002AD7C520000-memory.dmp

Filesize
64KB

Download
memory/5012-848-0x000002AD7C510000-0x000002AD7C520000-memory.dmp

Filesize
64KB

Download
memory/5012-849-0x000002AD7C510000-0x000002AD7C520000-memory.dmp

Filesize
64KB

Download
memory/5012-926-0x000002AD7C510000-0x000002AD7C520000-memory.dmp

Filesize
64KB

Download
memory/5104-856-0x0000024C2C2F0000-0x0000024C2C820000-memory.dmp

Filesize
5.2MB

Download
memory/5104-894-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-861-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-862-0x0000024C118C0000-0x0000024C1190A000-memory.dmp

Filesize
296KB

Download
memory/5104-863-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-864-0x0000024C2C820000-0x0000024C2CAA6000-memory.dmp

Filesize
2.5MB

Download
memory/5104-868-0x0000024C2C1A0000-0x0000024C2C1B0000-memory.dmp

Filesize
64KB

Download
memory/5104-870-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-871-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-872-0x0000024C2CE20000-0x0000024C2D186000-memory.dmp

Filesize
3.4MB

Download
memory/5104-876-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-879-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-880-0x0000024C11C90000-0x0000024C11CA0000-memory.dmp

Filesize
64KB

Download
memory/5104-883-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-885-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-887-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-889-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-890-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-892-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-855-0x00007FFC3A190000-0x00007FFC3A1A0000-memory.dmp

Filesize
64KB

Download
memory/5104-895-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-897-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-899-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-902-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-903-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-904-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-905-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-908-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-910-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-912-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-909-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-915-0x0000024C2BFC0000-0x0000024C2C026000-memory.dmp

Filesize
408KB

Download
memory/5104-916-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-914-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-854-0x00007FFC12BC0000-0x00007FFC13681000-memory.dmp

Filesize
10.8MB

Download
memory/5104-927-0x00007FFBB38C0000-0x00007FFBB3940000-memory.dmp

Filesize
512KB

Download
memory/5104-932-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-933-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download
memory/5104-934-0x0000024C2C1A0000-0x0000024C2C1B0000-memory.dmp

Filesize
64KB

Download
memory/5104-935-0x00007FFBB3740000-0x00007FFBB37C0000-memory.dmp

Filesize
512KB

Download