44caliber | hxxps://disk[.]yandex[.]ru/d/_N8aU-U991HGvA

Resubmissions

30-06-2024 00:18

240630-alp5watdrl 10

30-06-2024 00:15

240630-aj7l5stdnn 1

Analysis

max time kernel
27s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/_N8aU-U991HGvA

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1255928116254347374/u0ls8xAob_OonkG4QfZR2Rkb7HTFJJnFeRnAbtEqsrIQCTthQ47AiadBOYeurhlrLKMw

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 6 IoCs

Processes:

cheat.execheat.execheat.execheat.execheat.execheat.exe

pid process

4740 cheat.exe
3844 cheat.exe
4548 cheat.exe
1192 cheat.exe
1800 cheat.exe
1936 cheat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 freegeoip.app
42 freegeoip.app
44 freegeoip.app
45 freegeoip.app
46 freegeoip.app

pid	process
4740	cheat.exe
3844	cheat.exe
4548	cheat.exe
1192	cheat.exe
1800	cheat.exe
1936	cheat.exe

flow	ioc
32	freegeoip.app
42	freegeoip.app
44	freegeoip.app
45	freegeoip.app
46	freegeoip.app

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Cheat Game CS2 2024.rar:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Cheat Game CS2 2024.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

msedge.exemsedge.exemsedge.execheat.execheat.execheat.execheat.execheat.execheat.exe

pid	process
4692	msedge.exe
4692	msedge.exe
3308	msedge.exe
3308	msedge.exe
1040	msedge.exe
1040	msedge.exe
4740	cheat.exe
4740	cheat.exe
4740	cheat.exe
3844	cheat.exe
3844	cheat.exe
3844	cheat.exe
4548	cheat.exe
4548	cheat.exe
4548	cheat.exe
1192	cheat.exe
1192	cheat.exe
1800	cheat.exe
1800	cheat.exe
1800	cheat.exe
1936	cheat.exe
1936	cheat.exe
1936	cheat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2824 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3308 msedge.exe
3308 msedge.exe
3308 msedge.exe
3308 msedge.exe

pid	process
2824	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zFM.execheat.execheat.execheat.execheat.execheat.execheat.exe

description	pid	process
Token: SeRestorePrivilege	2824	7zFM.exe
Token: 35	2824	7zFM.exe
Token: SeSecurityPrivilege	2824	7zFM.exe
Token: SeDebugPrivilege	4740	cheat.exe
Token: SeDebugPrivilege	3844	cheat.exe
Token: SeDebugPrivilege	4548	cheat.exe
Token: SeDebugPrivilege	1192	cheat.exe
Token: SeDebugPrivilege	1800	cheat.exe
Token: SeDebugPrivilege	1936	cheat.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
2824	7zFM.exe
2824	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3308 wrote to memory of 3992	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 3992	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 1988	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4692	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4692	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe
PID 3308 wrote to memory of 4152	3308	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/_N8aU-U991HGvA
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff57ca3cb8,0x7fff57ca3cc8,0x7fff57ca3cd8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14024518642477286085,18024794169273782544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Cheat Game CS2 2024.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\Desktop\cheat.exe
"C:\Users\Admin\Desktop\cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cheat.exe.log

Filesize
422B

MD5
8ad52488d22ce336c7369d14f0faa3d6

SHA1
f3105c609dc3bba95c168301d684043a3a6a76b3

SHA256
83870ba00087fbfd751b280dc2053850c46cc8f91032b715d87e0052038f456a

SHA512
5c9b149a4b6cb8351b7def746d621cefbc62ddfb5f141af1dbc6b5a7c80158dec6328ee8e80bf31e6f4398ab433af71e451643e188e813202b96403e1252a291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f738fcca0370135adb459fac0d129b9

SHA1
5af8b563ee883e0b27c1c312dc42245135f7d116

SHA256
1d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63

SHA512
8749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
68de3df9998ac29e64228cf1c32c9649

SHA1
be17a7ab177bef0f03c9d7bd2f25277d86e8fcee

SHA256
96825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43

SHA512
1658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
55KB

MD5
97ad0b8634b6564f71b76098b702611b

SHA1
c29ea74a4564b5a73ec0001973c81a61851a1c68

SHA256
c9c750c011d73fcc086d165c9f1020de2bb4e8f0c02cc0b84e40c77ec3f22f3f

SHA512
164a1c30730e4a32ce9f3047e4e662cf09ed7d3e737841df4118f1d07128df7e6fabccb61ff3694d8deda34c8cbb0ad1d5da07ef1a0949c47c807cbd2b41c1e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
c98608d2287bebe6202a18cb7e3d9487

SHA1
e9567a86084ec21b8a3baf69f6cc2b1a8d872048

SHA256
6c8dd857a80b1531118972c9a62432e5de1985d0ebc1ef532d739635426f63f8

SHA512
588c221962189e349db854ca6a863480916bca237fc743b098638a03502c19e2a79299bfac1b4b2dc165e1ef4411622e4b22d19d0365afedbcd3a210ef14074c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
be782724e43e640ab51b7e120fc8f649

SHA1
ce1031e2f40b6570811b3a9f26730ba088430760

SHA256
549889f1c651a9ea3ec9843f2ff276e1268a84c630b265061bb48ab5c69fc846

SHA512
2f987ad3a10c2ab1e9aebbe703c855050183b2da83663f92534eabda4f71aa1417a2046cc50a987fb0e91aca41c707e76d49702817e6b1b0ad27d44557817534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
630B

MD5
acfe9e9e93fc6d9c48e23e90a7d989e2

SHA1
d1690c12cf2ecaaab39947e3a2a2458d8641372b

SHA256
cc32453e0858f8fd3527dfb46f5fafe53a8ee711de113f9e558fd8698a819951

SHA512
26bc03f59507f047abbd67c9f0244de98ab0805325328551b81ca20ff3bfeb356ad483934f88848ec8051d44f7cb102b5796c3a3e7367b69d91be32a3ff3e34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7465252632d7bd3a7a980bc3624a3cac

SHA1
f729835d34426ae0b5ebf84ff46a8f14e7bed1df

SHA256
3928bf30db744a073944785d756dea11d99766c5e41b21d62a554ca741470566

SHA512
4092791f9a076cb07aa806a1fb318825f008ab008ce7540d5547b2d63fc0a3c70a144008e5cd972cfbb46e20d2f4a582093c7ad75c528a9d117829353ce0b315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d839357ced28b58697b3edf2ba940f07

SHA1
1f715fd248680c20ffd555eac107d6f1c4b28f11

SHA256
c91c791ff05ea72c4ed01fc2bdd22bdade886e8a2bb0b0e14e999efe4581e9f5

SHA512
795a4d97d3bcbf7fde912ebab6618f44bcb738f0b8599d25c6dde7d0f7e0cdd401acbc54eb833a25a751977554b930df79e5d252200706dd302a5049ffe5b24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e74169bd1e7f90063e0b6ddebbc8314

SHA1
aa63f409929f5f6e5aad984bae69bbbf5f1d121b

SHA256
42f4be49710c228fc8d90078e85842569a134ffee7cbcfe73e0112e90037e145

SHA512
dc7389445e04393f6dfad33e53c2e0736858c5a1823f0ae2b02c96e8e3d09006127ae0380d2c55ceea1f307ab9c9e7fd552ca7f137df1525d2bef86a434f288a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88b9c01111ba96e4ed28bf6d7ec225e6

SHA1
ad39a2be1581e846a100537dbceecee2b06fc274

SHA256
d4b2a9c7903ff3a961123c26e0e2f8d846777a3c6d6a1804ff12a0d7da9437c9

SHA512
2e967d7a3b91b9894734b41dca60376eb6105d549a3e92040f17ca3cda1cc462d19a60026e126ddc1623d2efdd5021a5c663098d0b258336213277d7948827be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d55b2db148d555124a9a03d784d7bb8d

SHA1
095079499cd9fd27ae65226d09f65146f8fbe5a6

SHA256
2d14fb6dc59a019da647a6389ad634ece7d2ab2f76f3fe66ca12d7748855ba19

SHA512
3f170480cd6e36a367192225dcf179778d6284b722a0e3348504327a1bbd21c983146e5116017d97041d495e526106fcebad442e001604298f6685257aef3347

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB20A.tmp.dat

Filesize
100KB

MD5
cf9a72dee7438a4e49cdfa2a662e544a

SHA1
2a56047d105b932b36b00947c2b62e7b9941f19d

SHA256
7597a03f232e74668b9e90a0ba1aa01c885b5fe97f316d23c26fd85e39e6861a

SHA512
e0604e245d52fb9b568dd942c896b2548134c807931f27e1c4ddb7ddd5139dbe73b37c61709b34d9f8eeebf99de315eae25c6598fd3abe5a78ab55ffde8aeb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB20E.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB46C.tmp.dat

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB480.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB492.tmp.tmpdb

Filesize
5.0MB

MD5
cbec3e68821089bea95eceabe7fee7cf

SHA1
eccc0ecf50ee5e11e1ac9ab64aac29567c71b403

SHA256
e5fe6a19fc16004113dee51b3a5a66b86bd9c24559b4ff8b254cdb090aa4af71

SHA512
58adf046bb895d6287db3188cf21538b32ad09023fd66f0221858ed5cb4d83e183ee2f6596cadc293151a6616a889640d2b6c051b0240e8d7c6da0568aa9ed14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB493.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(24).txt

Filesize
2KB

MD5
48e9155726f9c06491c062f70808f2c0

SHA1
f8978a7d25823d27b129a76ab99f81686fb4f77f

SHA256
9a335a6c0aa177ae4e91bf5482be7ea60df45663cdd409c72ff1ffedaa6af5d6

SHA512
bcede60bc929eb2d456b454287eea93480b60ff0dded0c6a0688018d9f117a3f3f9c0f3cf0af3e2431bc5c3b3791c46ca78a483bc2c01874c33ac51d2bfd5511

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\Desktop\cheat.exe

Filesize
303KB

MD5
43bff03bf5b096bb7673a6116deeaaf9

SHA1
87b72cc4ef3223e2c4733c9dd3491c15c52fe3a2

SHA256
ec8dce97f07f09963def07b08ed495fce710bd4cca94d9ff356a7de155ea4bf4

SHA512
a5c18459b9fe5251b2dae07ec2754fed9752d1e09a819642a03c34cf3535cc9c993e452e2df69b1f68925b3a1234c862724cf1c9f0858f3daeb948303f3e2e7a

Download Submit
C:\Users\Admin\Downloads\Cheat Game CS2 2024.rar

Filesize
112KB

MD5
ae503ab88331f7a3a8cf2accc04f1aaf

SHA1
383b6587d71559cbc2bd0254b88650f7b610ddb0

SHA256
4d14df8770851175368ed353e07c4b8fc89cec451b7217aa3aded9b539fc3992

SHA512
f54ce7e5ab0d09e779b33a39c9ad96714b8522738afb7696d15775deba3ebd6a3c398fce3411097d8d0297f5bc9d03c1c33ae54e99ac165dd6a96d28dd3135e2

Download Submit
C:\Users\Admin\Downloads\Cheat Game CS2 2024.rar:Zone.Identifier

Filesize
773B

MD5
f435526054669a7b33a11ea020572036

SHA1
2fd411af0d673e95fc20507e533080cf1a01ec94

SHA256
63fc9e96cc4bb095f99c1b9b587a1722b69f8af099f450788fb2b8873e5ad919

SHA512
1a79b2883628bfbbdb9bea005cfd42ff0237f3f520c079a7b947d558e81ab7ada484bae8c1215f98dd71b5b3f4598ed178b41bbb56ea968d87ee4093daea71bc

Download Submit
\??\pipe\LOCAL\crashpad_3308_TTMHBQJIEJVMFCGZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4740-270-0x0000022B00C60000-0x0000022B00CB2000-memory.dmp

Filesize
328KB

Download