44caliber | 12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6

Resubmissions

09-08-2024 14:35

240809-rx9r4awakb 10

09-08-2024 14:34

240809-rxj7fawajg 10

Analysis

max time kernel
107s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

303KB
MD5

7553c649cdd15e01bc47cfa2dc88fdae
SHA1

1ad33f546146e52d05e667f0907262c1e55cb958
SHA256

12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6
SHA512

b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849
SSDEEP

6144:k1E0T6MDdbICydeB1MnyCvG/9GzC6jmA1D0Kzp:k1z6yCvGFG+Y1Dtp

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	freegeoip.app
1	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{E9129906-E1ED-4EAC-A071-4D8139483AB4}	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SolaraBootstrapper.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
4848	SolaraBootstrapper.exe
4848	SolaraBootstrapper.exe
4848	SolaraBootstrapper.exe
4552	msedge.exe
4552	msedge.exe
3636	msedge.exe
3636	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
4500	msedge.exe
4500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SolaraBootstrapper.exe

description	pid	Process
Token: SeDebugPrivilege	4848	SolaraBootstrapper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3636 wrote to memory of 3748	3636	msedge.exe	92
PID 3636 wrote to memory of 3748	3636	msedge.exe	92
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 5108	3636	msedge.exe	93
PID 3636 wrote to memory of 4552	3636	msedge.exe	94
PID 3636 wrote to memory of 4552	3636	msedge.exe	94
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95
PID 3636 wrote to memory of 3116	3636	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe460046f8,0x7ffe46004708,0x7ffe46004718
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,434573386192905254,5104499901688269089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c615d3e-a2c5-4ad7-8ef7-52cbf39033be.tmp

Filesize
6KB

MD5
c3d4e6be0d51fd81cc346689efc43f65

SHA1
97a83d42039e9876e1a84e378a937f5cb92cf609

SHA256
edeebed59d1a7898d0d7bddc46074d7025ba14774c93c4315598dc91451bbcfa

SHA512
2215d8ae3ac526028c2237064f3ce35a806655b55962dd86fae05b7b71687467b4ae0cebda831bd4b73aa919cc42b9737f2954cba44dcf9c9a7c8572c91a556c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d5cefcc192efda2ef4d938408aaea5c4

SHA1
12eb0c6b79e63c83db4961337843628e30fee88b

SHA256
486916400927e85c357e44dca0f5a10d3500c73486fa6e6aac6445df2c25e17d

SHA512
b0942f99d029ef7351600d958a04c0b94e14b3bd9d6e2d5d5272df7b968a06d83db5ef15cf4701708aceedaac2e57f4da568b7f60deb902c1f7e17d2d6392d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
968B

MD5
f961a438c264049d618c44721a182350

SHA1
c2d1f421e836b7fd078e93cac4f91871acdee34c

SHA256
ff76bf41cb23dbba927be59b9ca6214a5fe32b763a0808458a5eedbee515d7d9

SHA512
a61c92f1616d67feafdd168e3de1c74ccadc96ed0d71f4063bba70c2638598e49bad9e2de3a1e046d88d2b645ff4994e3bc99fa2c346ae19a5b4a36622ff0d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2db5f98fc6435105ca31ee2588fef696

SHA1
37a083b9b804bcd7a4b7da95d228fa2b09cc677b

SHA256
f73f6546a7b2e25801e54e01c5b54081969c3285726555564e939f77abcfe5ff

SHA512
c1bb434fdf6f7a6ba0e39d45170b990db13123af1614745eb7ac2f7100c44a5280bd29bdba37207413ba42e80d18b38542a85f98975b4704df2704ed40eafe7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d479de4e0d6bbfe9fae476bb036d56ba

SHA1
6418b37b54d82b61fa1b022982bed345bf4bea53

SHA256
eefb2163d68c178c2769bd69a7eefa81542433b3f1da17c555206653d16f1d2c

SHA512
dedaeb00bba5b1a1e1f1a3fc304e12b4e0859b92b014d7c9c599c682ac4f4e73eb75b5e61031ace8db321138b682ce898b262ea46a84f443c313d9b26fc503a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27d1db347de7f6b6bb6c0a35ced2aeb4

SHA1
2e9795eb65480555e888e20218fffa6fb76306a3

SHA256
c6fce06a607944c6380b6f5658e4858c0926d61ce43ca69a804cee99086401c8

SHA512
b84292d89783eab48b3ab01bfbfff3990d55bde871839b5cf596e1bf766e4485658426778021b164d98501a139ac55847f6df0ea5074dcc7df480b9baba02bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
dae04d38e27838786cc6f3cf30ed8214

SHA1
4703d256f30a576a57db951b7b460447b85941f4

SHA256
fcbbbecb65b6d0f625b713932642af92a0d5c2cffd5d38f7eb18c352570bb865

SHA512
60ab7ac92920f6598fafb64a7d1661b54005162d8eefc393a9cac05691c4127b425721aaa256afd32e15486abff5fbb68a2ee96f6d5e227b714b8755943051ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e564e7237f2da83d45a7b4ca94e3990

SHA1
fa447027de56f454ae144f3fd1c20c6d340a269d

SHA256
dc085dc566d1a6093aec53d0e26cd3cf19306aa940fcdf8a1514d47673835a12

SHA512
d1d48c63056480809d1bc1391ebd02a7aa29d8fe9a2fa0e65a9a304e06b13d06b24c529dfbb2bce7c506021b05d84741e77a194ffcc3a3ba9a257527cfc9f0b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6aea6d8178baa457dce33b90d1dc7f0

SHA1
94c9a9f92de61c05b5a6f5acb9b6309e5f334dc0

SHA256
ffd2ec5f965db6895226d96151744b1eaa651547900f4357c65c44aca756c1e8

SHA512
e05646d3ffa8400c63116681fc07ca4637c712e537a90c22a1da3d416a3f46583e99f3f161b789af0146f93f899fa3433bb40ee9f59841b5b56d0e367f9066e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58dc03.TMP

Filesize
703B

MD5
826e86c62f3c0d06411084d52a4a64e2

SHA1
807929a36b64f8eeff0abe2e8cf725d7798058ea

SHA256
0767e63631095e882bfc01c57a2c58ec8ab2caeaf0ffa42d63076a064fa86509

SHA512
14f8902f710760e4d2fce968298756d00dd4bd907e40ede734fb906f098e770d4df50a2773123148f7cb02f68be555e1504dcdc8a7840b3133d06007b0a05c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37b8ec60313a848259a58a0621cae0b4

SHA1
b21cc46ca0b53a8145f8735a36921a5ebaae2c52

SHA256
d3e1cd5a6b936c71cd679542ae9e2e2183612ce0deac14b6b5ba3a9af6928be4

SHA512
f4b3931d24c0f869f2946e50069777cb240bd1ca9196858ce06219f7094180ebaa9e2971a891b6dcc42c66b7bfa1805877630ea715777fe7207f125588ad4eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_3636_GTALRMRZDSTXPKTM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4848-1-0x00007FFE45553000-0x00007FFE45555000-memory.dmp

Filesize
8KB

Download
memory/4848-34-0x00007FFE45550000-0x00007FFE46011000-memory.dmp

Filesize
10.8MB

Download
memory/4848-29-0x00007FFE45550000-0x00007FFE46011000-memory.dmp

Filesize
10.8MB

Download
memory/4848-0-0x0000023F0FEF0000-0x0000023F0FF42000-memory.dmp

Filesize
328KB

Download