44caliber | 2dcfd9b32402fa9b0899100d5707b28552dc9d932548230af3aed4e2ae3c7bca

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

leet-cheats-freeware.vmp.exe
Size

6.9MB
MD5

98396064f2a7683dcc23ba2dbdaac347
SHA1

09d6c4ca59e59265b17d448e5e0c5887171f03e0
SHA256

2dcfd9b32402fa9b0899100d5707b28552dc9d932548230af3aed4e2ae3c7bca
SHA512

5b634afa4720a11e7e5fa5c2c7fb8a1b421f94fb116d252c7c27b74bfc16eb6a3353f47ab94bab77d4fa79a49570a8a770a4ba0372408be6ef9af8f131a7ffed
SSDEEP

196608:D+Hi7E7LsX2GHY282Nhg5f4X6JiqO5ftIEDaajLeaK/mQ:aH74mGHQ2NmV4qJDO5ftYH/mQ

Score

10^/10

44caliber spyware stealer upx

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1239998001162883183/Prdtl-xV5N5KoPdJjFyeakzF-tcDlNNdpgQa5_WSJhD6azfB04Gi-4sCmpkCOwJ_5MMR

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	leet-cheats-freeware.vmp.exe

Executes dropped EXE 3 IoCs

pid	Process
4280	2323.exe
4844	leet-cheats.exe
1520	loader.data

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233ea-61.dat	upx
behavioral2/memory/1520-62-0x00007FF6E4E30000-0x00007FF6E5A5A000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
2	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4280	2323.exe
4280	2323.exe
4280	2323.exe
3376	msedge.exe
3376	msedge.exe
4692	msedge.exe
4692	msedge.exe
2776	identity_helper.exe
2776	identity_helper.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	2323.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4280	2148	leet-cheats-freeware.vmp.exe	81
PID 2148 wrote to memory of 4280	2148	leet-cheats-freeware.vmp.exe	81
PID 2148 wrote to memory of 4844	2148	leet-cheats-freeware.vmp.exe	82
PID 2148 wrote to memory of 4844	2148	leet-cheats-freeware.vmp.exe	82
PID 4844 wrote to memory of 4692	4844	leet-cheats.exe	91
PID 4844 wrote to memory of 4692	4844	leet-cheats.exe	91
PID 4692 wrote to memory of 4420	4692	msedge.exe	93
PID 4692 wrote to memory of 4420	4692	msedge.exe	93
PID 4844 wrote to memory of 1520	4844	leet-cheats.exe	92
PID 4844 wrote to memory of 1520	4844	leet-cheats.exe	92
PID 4844 wrote to memory of 1520	4844	leet-cheats.exe	92
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 2600	4692	msedge.exe	94
PID 4692 wrote to memory of 3376	4692	msedge.exe	95
PID 4692 wrote to memory of 3376	4692	msedge.exe	95
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96
PID 4692 wrote to memory of 2620	4692	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\2323.exe
  "C:\Users\Admin\AppData\Local\Temp\2323.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://unicore.cloud/drama
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff087346f8,0x7fff08734708,0x7fff08734718
      4⤵
      PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
      4⤵
      PID:2600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
      4⤵
      PID:408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
      4⤵
      PID:1696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
      4⤵
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
      4⤵
      PID:856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1553855321192125255,4313068417735727190,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4236
- - C:\Users\Admin\AppData\Local\Temp\loader.data
    "loader.data"
    3⤵
    - Executes dropped EXE
    PID:1520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
18b449679db11ab9244ff62a50bf04ab

SHA1
dad08c9104a07be88e99c7cdaf021c27ff306f0a

SHA256
ec154867dfed0b7b91b68033515d20b88b2bf2e0ec6f4d10222361ab9ebd632e

SHA512
26e07a57710d305d748dbd00f44f26c6d866df301d8fac6391d85007b34cbfe73d74a0f98fb152f02338fe998c91d414149c9177fab9a387434ad1ad61cdcb6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fde2c96c580ae8912d7b933e9aa1374f

SHA1
e0a0ae47c79cb0821ff0e0167b38343c68cdf24c

SHA256
1371cc484d367a62d47f7d3c3834c763f6cbeea51f65a851df93c398e3b14f95

SHA512
ba9a84517099a0a24095ff1e2ed59bd8eaaba7105818741be4191d5c11b2a522f04b556452359d217ee838ce1662ecd6ba9b8faf82a78291b19086a0034f45db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d50f3e6177629d6318f43b8c333e8bd6

SHA1
c9e2581d44bd65a12da12bb7c4e22b35f4b1a465

SHA256
a6cc3f7a600f74d25ed4f234d89dfb66c01402d7827d02fc5bce3f6547482e5e

SHA512
48b1733fed477c6ed621e6ef225cf800e959edf1e4df830fbb6cc5155f31c3159a23bfbec6e3beec23a01bb37136320044bf87f4072b82b7a202b83f1391db59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4e78c1cf08995c9b4ba0f217cd77ada

SHA1
964d33bbd90187d35d821ca55e06436b9ce2b539

SHA256
6342025fd85d73ad722dc9cdcaf453f144092e841c9200724ad15ce1dea5e913

SHA512
fd9512d287280dd228fc8eeb59686ce233f16d896678bb6939607092a3526f62596ab29391e66111e56f50e84970415c7f23ee5fac599668a6200c6d4e0a2401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57fc1da69e927f90e2e814620eecbd7f

SHA1
124a0611fb2f5c8e13c8693bbf4ab178ecd8651a

SHA256
f1efe49d57d068ca861ef0f1183739878f600dbefcb196f87d5c781cf0120dee

SHA512
78cf9de5ebc2ce8532775319feb0b43e507533588a40c018bfcda5562b52e50f64ca6af0db7073b7647f21dcb9df8025e745575fe34a33d1abaf8803a9b6304c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
1dc5622f4a5cdaee5e28e6271fe21bce

SHA1
b1289abafe1253d61b6c0eb52a8dd2a9b9a18068

SHA256
97fcd39e417772fe3fb98c0d74dfea9747122765b87d03d7c187682dbb33dd74

SHA512
29fb261787f2df204ac1dfbb07230be3675958eb76b83ca9374c0482d9d2b846a4a6ad9c322bbd264cd8dcf2e8411cea561a74678c7a281c0d610480d240a631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
fffba7a1c51d3ea4c809f2523f39b538

SHA1
97c37e743c843fa184d028cfd773dd730d5aa805

SHA256
fb386c114c80ff47eb32ed6a56b7d914a0239639d69ca405a276aca361d865d3

SHA512
42920b895ba3ae2b18a7e7968b1b50927f80a090df4905eae7e3a967ad239f48d5f35512daf8b313918b86a76670c668283cd3873ca6a05760a937ce7eea277e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bde1.TMP

Filesize
708B

MD5
731b627b801020fef24da4d376e6c364

SHA1
137756ccbc079697e86dde40dcdd3204cdc11498

SHA256
25a833a4b67e7605a1c1279c4a65bd47fda273d916dd09dd7e2766f2e1535f16

SHA512
354765a7717199ffb982e9e3a04bee4ccec43ba4291f07a9a17c4af6482c529a5b88885b2b4efc217308711e503d302c135008dee818e072073729949fd31ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4295a3089fe94de3a93a7f545a07964

SHA1
f7c76bc155721abb4a86aeb9b7ad7506b5a24055

SHA256
4fc603aeed7727bb346b7d0f9421afc7bfcf487e625ea8844cfe2c0924e831fb

SHA512
4e00bce9d567375394f5759246dcfbc6039f4c0257eac93221927d1acbb5d647d0b06d1618a9c6a7d0296f9569ce50ffe155039d1bc322d67e3bc23591440020

Download Submit
C:\Users\Admin\AppData\Local\Temp\2323.exe

Filesize
303KB

MD5
6d4d2a454bc8728f442e32c4471abdbd

SHA1
bfb79b63f606947623c418da921b65dd0a192b5e

SHA256
926a0c168b569f523cfc1c88586bfaebad3cb5c8348da3978ea27442f49a89bb

SHA512
ff30db6131e49f51fe9d18c2a3a3218b8b8ebfd7117dce7d9b7f8072b5eba12768e08ec723a0fd3ebd626f056b485bf7d18bd536fb0a3a8eeec88a107bdfe616

Download Submit
C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe

Filesize
6.6MB

MD5
13950d86cb3748b2a1f535eaace1a3d6

SHA1
9b1634057a11119ed38d1574bc2db160084cefd3

SHA256
10328d771df10ba9f20ff5a65046d559bdf35d36855bba0af909febaee9e53a9

SHA512
6ee06e0576d571f9e2fedbe904ecfab5a83b2fd8adc28d469ab08c728610eab215b8c6946feab8f4e33510978e879c66618225f23c4c3b6dff66b96147fd0964

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.data

Filesize
5.2MB

MD5
b86bbb42b26e72a601087f68cda89208

SHA1
baca49e35da3b83cd56ba579d61f98e9b137debe

SHA256
320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

SHA512
e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

Download Submit
memory/1520-62-0x00007FF6E4E30000-0x00007FF6E5A5A000-memory.dmp

Filesize
12.2MB

Download
memory/2148-45-0x0000000000400000-0x0000000000AF1000-memory.dmp

Filesize
6.9MB

Download
memory/4280-52-0x00007FFEF8A30000-0x00007FFEF94F1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-50-0x00007FFEF8A30000-0x00007FFEF94F1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-12-0x00007FFEF8A33000-0x00007FFEF8A35000-memory.dmp

Filesize
8KB

Download
memory/4280-15-0x000002083DF80000-0x000002083DFD2000-memory.dmp

Filesize
328KB

Download
memory/4844-53-0x00007FF724CC0000-0x00007FF7259E3000-memory.dmp

Filesize
13.1MB

Download