44caliber | hxxps://disk[.]yandex[.]ru/d/IfJ-uDulZIbe2w

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/IfJ-uDulZIbe2w

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1276832357390876737/oCVowHgG_7-ghKH4B9I0YwQpSpK_9IOSD4OtMpMw7Jb-o6QgXXRdIWsWzwDY7MGiQKEq

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
110	freegeoip.app
88	freegeoip.app
105	freegeoip.app
106	freegeoip.app
109	freegeoip.app
135	freegeoip.app
87	freegeoip.app
91	freegeoip.app
107	freegeoip.app
121	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1816	msedge.exe
1816	msedge.exe
4824	msedge.exe
4824	msedge.exe
4156	identity_helper.exe
4156	identity_helper.exe
2188	msedge.exe
2188	msedge.exe
5948	Luno2.0.exe
5948	Luno2.0.exe
5948	Luno2.0.exe
5948	Luno2.0.exe
1384	Luno2.0.exe
1384	Luno2.0.exe
1384	Luno2.0.exe
1384	Luno2.0.exe
6104	Luno2.0.exe
6104	Luno2.0.exe
6104	Luno2.0.exe
6104	Luno2.0.exe
5216	Luno2.0.exe
5216	Luno2.0.exe
5216	Luno2.0.exe
5216	Luno2.0.exe
3672	Luno2.0.exe
3672	Luno2.0.exe
3672	Luno2.0.exe
3672	Luno2.0.exe
2932	Luno2.0.exe
2932	Luno2.0.exe
2932	Luno2.0.exe
2932	Luno2.0.exe
916	Luno2.0.exe
916	Luno2.0.exe
916	Luno2.0.exe
916	Luno2.0.exe
2620	Luno2.0.exe
2620	Luno2.0.exe
2620	Luno2.0.exe
2620	Luno2.0.exe
4608	Luno2.0.exe
4608	Luno2.0.exe
4608	Luno2.0.exe
4608	Luno2.0.exe
5832	msedge.exe
5832	msedge.exe
5832	msedge.exe
5832	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5948	Luno2.0.exe
Token: SeDebugPrivilege	1384	Luno2.0.exe
Token: SeDebugPrivilege	6104	Luno2.0.exe
Token: SeDebugPrivilege	5216	Luno2.0.exe
Token: SeDebugPrivilege	3672	Luno2.0.exe
Token: SeDebugPrivilege	2932	Luno2.0.exe
Token: SeDebugPrivilege	916	Luno2.0.exe
Token: SeManageVolumePrivilege	6064	svchost.exe
Token: SeDebugPrivilege	2620	Luno2.0.exe
Token: SeDebugPrivilege	4608	Luno2.0.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4668	4824	msedge.exe	84
PID 4824 wrote to memory of 4668	4824	msedge.exe	84
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 4848	4824	msedge.exe	85
PID 4824 wrote to memory of 1816	4824	msedge.exe	86
PID 4824 wrote to memory of 1816	4824	msedge.exe	86
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87
PID 4824 wrote to memory of 2196	4824	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/IfJ-uDulZIbe2w
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb5b546f8,0x7ffcb5b54708,0x7ffcb5b54718
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,17697246772647733723,14073977561538352553,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5696

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5948

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe
"C:\Users\Admin\Desktop\ì«óá∩ »á»¬á (3)\Luno2.0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Cookies_Edge(76).txt

Filesize
3KB

MD5
a1ad8b0afe4af7efded667bc44633dbb

SHA1
1fb970b41854b6f3b696931ce018630fb61208bb

SHA256
ee4beee54577ec79981cb30f60563abd3bf78ff4ed4555f4ca8342f387f35e5e

SHA512
1961f252b35506cc773ed7724da58f220e1e55fae15df8b22d7728aacff3b29881afee424bd8258281091f314ed9ad7206d84fb75e248975278a359f2bba5569

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8cc6e10145e46b346a341864a68a0247

SHA1
86e0bfd9e5dfc3d91b5d512b34bb645d5db197e3

SHA256
a098c14046f8320b1776ff0306dcd69937c9f07ecc010a6c443b793440bc17b4

SHA512
2dce03fbd60a3748bb9680c80a46f5ae0d5598047bfe7bb9e5f6c9886e6ee37ee74767f8f3f8910c4c89d8d9b0dc48e331da794e4c925d00270e563a9bf3836b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
ce5041905b63f7e012edcc2123f28e69

SHA1
3330d31b03d2f6eed844d4cd6a9d5f5a75f8be35

SHA256
a266ed6635538cdd535e7a494d1f03511b83e5a593472d0bc231fb848f2a9062

SHA512
1cf8900893e0b55c054fc2fe3b895377e5115e57a555f0e0b6a712189ffc21a33e35c40b89231f87a486bfc68e36a904b07ea252e2cbc1f020bcdb14cc1db91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
ad676058b1275e204d453df1869fdad4

SHA1
da03c2b1f7fc767bf35cee34802eb27f9598d8b3

SHA256
6ca0523c329dc77855a376d0978b0a3024e4c4c2fa020a48d779bf6cfeab0433

SHA512
02fbd74ba05736b26fd310daed35693c0550f99807374b198ae1bda3d4aa850d350f326e8b87ebcd92bb28e2de5af98305478087cd53a97b88bc9dab2c62d3e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd73400d774c7a75959d9aa2281ecfce

SHA1
77ec287ab0dc9d555eaa6780d5ce54c0494c98f9

SHA256
8ca207d3c64cb8c65316a08da4db256d6a058cdfd8825c612a0f7f9507ca19d6

SHA512
9c298378989492db405c5843970c0783c7ad21a75008a28689e5601d1053d31efbbc50f883134c532ad5f6706bf37978a96b118df897e7b47a62001a92eac16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56f9e9f6589be468ecd2bc18c8e1c426

SHA1
f9df01477177d9fe5e5d7db11499fd53fd848551

SHA256
86aecccd49e899b61da4ad8a16ed48ed64478e88569f1a80f2e42a1ec5dbe71a

SHA512
9ae44d51bf19782813ed847c8b2446a66f979abf0a0be27faae50e5eb20d241a78f448f3a952d6268825376bc07da15261b64c8d3be8abe361264ac7d89730a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9620b3347674cea12d51cc5b8ed6012

SHA1
38c23f62a955b09ff01ce9bc39373d2ac6d6af5f

SHA256
e3526210e72d665a3ac9b88a53ffe5d5f512a66e9eb2c518eadc8976f9de86c2

SHA512
0c3bda4a823497bd7b2a46f8725f2230f58d619157649f3e7de2e8017db02de27b7dee4aeb1099c7df0d9a28e02d7f6b80c948b59f4dc87f2d1f85db58c01253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
35ca5a903bc12d1dcadd9be82c76decc

SHA1
73306dcae60a4af6a1759340b38917fe9f3b34c3

SHA256
f9480ebdd0d471dfec4f26691a605ab10f5489b3339654daf5a4e712d1106a3f

SHA512
eed2ee59347b77348a277ed5d601ff0ad8089f6c2e86c7d4700acc20aa5ba1d75a95580e67c0edb76da6f88a6e163ad68c72cc454d90a0d3e269d56e55dfb057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20608a5deecc7b86c7e2f18d8bef7e70

SHA1
9bfe520dbf2e265a0f20d3ccbb696e1dfe79cbae

SHA256
df5e5e1a1405d31ff32be33ccc6dfb89fd0f1ea786cf68e9a87f3b3abeea7950

SHA512
e9c7e13fd40aaaa16dc5437da92774dadbd466c8c1c63c193d7db7a95a2c3c00297266b0be86c8c9604f3d8286f395047aa2635c6828be9218b16ba07bd5c8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
186ef7942c3493dcc09505cc84b9a233

SHA1
c54e6b855d26b03dab2798a9ea3d7348ec1e7b24

SHA256
58190390824736c1541f9e3694ebfe961f28aef59f9f5bdfc13a75dcd93e7f36

SHA512
c0ce21cf6c326888020aeed64e04aa9fbe4979c4b3d1336e94ae035bc0b62d2ba52040697ba32ce2cc4c89b8ef5eadf04c252e708ce481067220a51309590ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc2ee33df3e3d2d09b3bfc2152ad5de9

SHA1
34dbfbfad79a62dd7923a29c6fad36caccd28b0b

SHA256
9df7d00f9689898bfdfeb14b7a0a1915ab80cea5e61420431a3fdf24391b03c9

SHA512
ca5575107bc7af235827c25d0549e629216337bf14e6152255823626ffc3bc50d2a44d842e685e178a8a261e17f9946447d0d03de74bb0683c241b9b2952b81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B35.tmp.tmpdb

Filesize
5.0MB

MD5
199d82d11c3c57b35976685dd2c6135f

SHA1
b95c80c6766745ca4049acd19d25e9e60d55871c

SHA256
d1e83b9f571cdd8087d0ba5e2de31ad98ebf2c1156eea86de6ef8dea5fc2adcb

SHA512
972db73c22a683a2a68043f53a388978b72f20b2c1411bc69b662b1e66c31dbcb60f142748c6960242da7c58dcabac46b056f6c612612d062b54e38dbf44c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B36.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B49.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B4A.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBAA.tmp.dat

Filesize
114KB

MD5
f0b6304b7b1d85d077205e5df561164a

SHA1
186d8f4596689a9a614cf47fc85f90f0b8704ffe

SHA256
c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7

SHA512
d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBBE.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(41).txt

Filesize
1KB

MD5
0c7519e3770afe9ae8aa14b99103712f

SHA1
5d59a6a3b438eb80adc735cf4bfd92d3f95354e9

SHA256
ee787d66dddf34e8a2aa3df80ce465d95b98afe06e33177154ffac6f2628081e

SHA512
b7035413cbd95667d98b6ed67321d39999c97cfde50ecea8ec53aaee44dc39167d31ad895e6e50c4046c6ef1fea219ddf09926a78971cce646e967c824c24811

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\Downloads\Новая папка (3).zip

Filesize
123KB

MD5
5e7869f4037af6ccb39d2bb6624e3698

SHA1
09c97d0b9e307c5c49248cd9742cd8d9042658bf

SHA256
0279b0a9a4a8257ec56ce8a8b22b5866b890bc264662e53248cba25d9c308f66

SHA512
67527f585dd062b19eb9e2f6b55a7550436ac0c33420da29487d6e53922c66bdb5afcd26e5362a2197d713d208e8ba1fa96ee50c12923405f7549987738a36b9

Download Submit
memory/5948-151-0x000001EF835C0000-0x000001EF83612000-memory.dmp

Filesize
328KB

Download
memory/6064-520-0x000002907FD10000-0x000002907FD20000-memory.dmp

Filesize
64KB

Download
memory/6064-556-0x0000029009A80000-0x0000029009A81000-memory.dmp

Filesize
4KB

Download
memory/6064-555-0x0000029009970000-0x0000029009971000-memory.dmp

Filesize
4KB

Download
memory/6064-554-0x0000029009970000-0x0000029009971000-memory.dmp

Filesize
4KB

Download
memory/6064-552-0x0000029009940000-0x0000029009941000-memory.dmp

Filesize
4KB

Download
memory/6064-536-0x000002907FE10000-0x000002907FE20000-memory.dmp

Filesize
64KB

Download