44caliber | hxxps://disk[.]yandex[.]ru/d/fhTQRLc2L8C31w

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/fhTQRLc2L8C31w

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1276658525119975434/tLmdPzB1Iay19NtTDP0vYSH8FoCoxKcKcJpM3amLs2IEaWJM5HJOk-Vos-dDohOT0BVF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
121	freegeoip.app
122	freegeoip.app
134	freegeoip.app
135	freegeoip.app
136	freegeoip.app
104	freegeoip.app
105	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5788	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
2932	msedge.exe
2932	msedge.exe
1212	identity_helper.exe
1212	identity_helper.exe
1136	msedge.exe
1136	msedge.exe
5648	luno2.0.exe
5648	luno2.0.exe
5648	luno2.0.exe
5648	luno2.0.exe
1984	luno2.0.exe
1984	luno2.0.exe
1984	luno2.0.exe
1984	luno2.0.exe
6056	luno2.0.exe
6056	luno2.0.exe
6056	luno2.0.exe
6056	luno2.0.exe
5824	luno2.0.exe
5824	luno2.0.exe
5824	luno2.0.exe
5824	luno2.0.exe
5896	luno2.0.exe
5896	luno2.0.exe
5896	luno2.0.exe
5896	luno2.0.exe
1600	luno2.0.exe
1600	luno2.0.exe
1600	luno2.0.exe
1600	luno2.0.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5648	luno2.0.exe
Token: SeDebugPrivilege	1984	luno2.0.exe
Token: SeDebugPrivilege	6056	luno2.0.exe
Token: SeDebugPrivilege	5824	luno2.0.exe
Token: SeDebugPrivilege	5896	luno2.0.exe
Token: SeDebugPrivilege	1600	luno2.0.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1032	2932	msedge.exe	85
PID 2932 wrote to memory of 1032	2932	msedge.exe	85
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4588	2932	msedge.exe	86
PID 2932 wrote to memory of 4296	2932	msedge.exe	87
PID 2932 wrote to memory of 4296	2932	msedge.exe	87
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88
PID 2932 wrote to memory of 1932	2932	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/fhTQRLc2L8C31w
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90de746f8,0x7ff90de74708,0x7ff90de74718
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12451084999532310108,16460146982129089753,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Temp1_luno2.0.zip\luno2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_luno2.0.zip\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe
"C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe
"C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_luno2.0.zip\ПРОЧИТАЙ.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5788

C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe
"C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe
"C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe
"C:\Users\Admin\Desktop\New folder (2)\luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Edge(43).txt

Filesize
1KB

MD5
31d14198534902af163d323057a0bb53

SHA1
bf9175d1d46f59365db00962adc1334664044be9

SHA256
1487894ffeadb0b1af4b19c737e88ccf33813e450ca6178e950d98dc096207c8

SHA512
27f3fc6e6a0d906e7c7748af2fec48cd977c180ceb39b2d0a5a1fd6355c35d6bd08a2e940ce4494cf99dfc443508729088eb43dae45c0f8b4917e766a70ef8f8

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
718662c1d5325fee3ebde2c997d28a9e

SHA1
93b1ab4d3912bfe1f73042af7f39bde50301dc97

SHA256
f09f5c83113db7e188245337684966426ab9e766555881d0bdfe3c699d095747

SHA512
f32790309baa8c78973d676e583c039c1b3d2bec5953bcd89c547c7d07ad6b113d66c9ef5327b7798d985c2a4d85acf056fd7476f1555bd38509a332b6764a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
972f2dc5fbbe265f36ed1ac9d14a7d37

SHA1
706dc102cb804b45d713bc2e8e8ba0dab64d3562

SHA256
e6ccb248b8f15aad5c2a9404e7ce599a7aac9f3323db20b55707b58cf1e48265

SHA512
1cc9db3990c0699a90233989089a2ef46023ba095227dfb5f21ac91f44b7fc0eddcf1873ce2014c0a253040004b64d20ff5e39df7dd91b28b37b82ab1b682d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
e0eba5f8e864aa88b15b0a7d41dc7d64

SHA1
aefc3ea6d7377790ca17f5e2a83047761a28ab23

SHA256
7433bae4cfd3dee93a3954193172f4eb6c42228f32810e91bd875a0577491811

SHA512
9b0305988b053e1a3ccaf81e19697b6ac6de89f3d2dfbc8fc6d4c1c61e763cdfbc965611f6ed60bf90aff606c7fb3be9e84d74dde2a18fb7b2a045f89792380e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
2e0e68d4360c77e0e19d4734a6260fc3

SHA1
819e89ee3ad07eb741f25945f31813fc682a3260

SHA256
afcb4e87c1757e7d9bbe7a185e049a35d18eac2c66f096a92b6aaa8938060fd2

SHA512
7728b7a259e597bd2eb958e12eb3a825f265af5acdac09c83634e429a55a45ac6ad14fe83b2fdae7a2e29130cf5f713f669feeea500983d6113131fd18c672e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
630B

MD5
028e4029aa4f5b36ff6cbf7436d38032

SHA1
bf45946288f10c9d3013f56a8a4ac5c0c1c6d335

SHA256
fba39608d7df55951a231c69a6c0c4d4ac98859b99786a17c12075d57b9fea8e

SHA512
0bc07bbb9fece22edc69404db6ee83b95968b08abeb7b78bc3306cf1680dbca7e4894efe350b20e4d04c221d45cc0a87f961c5239595d9f15ed2097778fa7b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3137db8f34965d25dddb78eb4f57eb3

SHA1
7ad4258318ce345f04a1de1cbb2122a08512b186

SHA256
a6b05a97d367f897637edffcd58a5a8b667614690fdb4e4807bf324ef671940d

SHA512
5695d36521118fe62d9f14283d519a74d589f23223d8b30b87a807087dc87a152cc2d3795cfd1017e1fa6347afe6fbcf7315da18f70ef053802f4d3cb17bdcb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba1b76c4f5a886787ed81f471abe2b19

SHA1
6dbae6f947dd32d9eb632034c97b053ba266c312

SHA256
a5e99209fb2a4d10e796c54cae9b5c150f4d9f92b80e85993ba36b675aca078c

SHA512
77e0fa140975c7a470e85e9d168166294f8ee55cc3add6f81cc38efa9c8562fa1b26a954accfb543e81a020634ee39a88781d4071f48b3a41752307d529b9f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d846e365bd2f0744176ba6c889d27231

SHA1
accd639d3beab728cc7cbb25d7c6e98f3d6ac100

SHA256
745f08bae330e39e1cf022289805c36f8e2b833e070011d7581672117fe9e116

SHA512
1ffeae960318ee19ddb93457f80b9c5b8dc457bb7803549bb241044015c5bf5c5d10c7a9d59242684e513345ceed72b006b87172ac2e905b767e3d0c47d0a055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80f1214d4d9cc513b1297f47cbe6b275

SHA1
23aca6a5c47867577a67493b53e906e3abfe705b

SHA256
6126a26d95bec2ec8b2e5a760f8304a0825105623502b3361b3047a411411713

SHA512
429fd1f563b906642fa07651a3087890bffeaefe622eb91062fef8c0f6e1e64e571e018e166e63cf066361229ef91d21a5d798bbb41451509fac33ac6e26603d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17ba2b4da702fe1ff72e4e6e045b1955

SHA1
20a9e55b3e71a564782f4ecd8d0953e9e75f3e61

SHA256
d50eca082f625a29020832b46f5f33c96bbb27dc0f0f7c8e41d5cf5eaba8f000

SHA512
4360f8a4d680d6cdc61fffdb7a470cf416a84cc93152de405621f8ed01e2cbb80bcf0fa5ea4b1269edf2f55ab97741add9389d141611ab5629ab992a66acb34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b4fc3d55b8a152b3d2d355b70cfee23

SHA1
6ea77e28096bd29e28bd3c43381b7ee6339fa211

SHA256
27f940a8459f51d936669b180e97fcf23839684b26686d369e60d4dec91d3098

SHA512
5204d8ad21fa91597a68919897159945e4dea68adec8dc18b02090f222a151fde75a46d127d74703950968c2f74e178e177991613d38750879c5f4cfe64c5d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
219497b8a508b414b3fa73afda8980ef

SHA1
b128f5b5ef79c6e32a02105ffbc368711793cc70

SHA256
d6ab8f287049b29e14495798e5bf6f61e6683597eef080439f970ed698d8ff9c

SHA512
72b53203f0954b83d52104af8c2967bb66533914605d38203ec7946ee756539bf3c36fa99060a01b177ae901fc9c62ad833ec351f3ae26756b7df8ff4cad7cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF400.tmp.dat

Filesize
114KB

MD5
e110cbe124e96c721e3839076f73aa99

SHA1
02c668c17c7fae5613073e9641bc9bcff96c65a0

SHA256
a793f3d212f395bfc8973231a22a6013c0e334443aa4172a8b5d611bb0f378a7

SHA512
8d91ff245f703e5dbee68085e9ca0de4b2fc044befcf79977f46bb8bfd908fa0e22ec0dd6a2b400e9ff447f888b550635ed82ebda18575d17b1f3d478a45f5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF413.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE03.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE17.tmp.tmpdb

Filesize
5.0MB

MD5
9a819f204acf10eaba4d3e5aae8afd0a

SHA1
3d48f4d5e04ca1f82207b8d486476baf890cee5b

SHA256
b602703e04c7fd7786f8b2e581657725ddac7de1d76cd72f3d14f44c128508ab

SHA512
3331e8b7f7029bdfad95d0f84e29856a809294e4aa7834e72ca31082513f9c5a09e9f2964ce831b3ba10671d783bb72d71a269483e4e1d96a5f304a5337ce5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE18.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE1A.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(56).txt

Filesize
1KB

MD5
2ae978c2a2cf837b39659ac7be72bad8

SHA1
169f0877714fc8ba17f06255424ab7f05d3020dd

SHA256
6d2622096da4c8fcfc714deb6524ad988cc2da08f886dc7bcb6c9cd2eb4733b3

SHA512
12c8ee17e63bd75dc13f1f6216b8d429e7d0ea070f572df61e529d1471fa8008c6c439a8413a9f5719f55fad0a96bd47f22814156a48fd0f8e3e5aef85e6f1d3

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\Downloads\luno2.0.zip

Filesize
122KB

MD5
125a5982d2f6f5b488f726b3a60996d9

SHA1
ac6e49df55e834e83b88b6b136a27ef18383c522

SHA256
5e1d87be4b9b2b8f205dbc1c7b238b5b9924463942f0e69163bcaf6d7a5a789a

SHA512
dfa9addfe048a41648ae1cf5ec3d9e011d3d99203f9103c606ce0323f5ca1908a4d5c90da693c73006acae24ce323ef8fd7c59f255ebb8a00ee2ee0098470667

Download Submit
memory/5648-187-0x0000015F9EF70000-0x0000015F9EFC2000-memory.dmp

Filesize
328KB

Download