44caliber | hxxps://disk[.]yandex[.]ru/d/xxvDgROYsuL1nA

Analysis

max time kernel
291s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/xxvDgROYsuL1nA

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1276872451782869143/xGmDsBJgF-XmVjYHmlWeJITbvIMFvsWrmdUxR44Db6po18jTFjvMRKTFStoHQMaCMZPQ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exe

pid process

4252 Insidious.exe
5784 Insidious.exe
5204 Insidious.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 freegeoip.app
82 freegeoip.app
79 freegeoip.app
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
4252	Insidious.exe
5784	Insidious.exe
5204	Insidious.exe

flow	ioc
80	freegeoip.app
82	freegeoip.app
79	freegeoip.app

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 673626.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 673626.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeInsidious.exeInsidious.exeInsidious.exemsedge.exe

pid	process
3396	msedge.exe
3396	msedge.exe
1372	msedge.exe
1372	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
3980	msedge.exe
3980	msedge.exe
4252	Insidious.exe
4252	Insidious.exe
4252	Insidious.exe
4252	Insidious.exe
5784	Insidious.exe
5784	Insidious.exe
5784	Insidious.exe
5784	Insidious.exe
5204	Insidious.exe
5204	Insidious.exe
5204	Insidious.exe
5204	Insidious.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
1372 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exe

description pid process

Token: SeDebugPrivilege 4252 Insidious.exe
Token: SeDebugPrivilege 5784 Insidious.exe
Token: SeDebugPrivilege 5204 Insidious.exe

description	pid	process
Token: SeDebugPrivilege	4252	Insidious.exe
Token: SeDebugPrivilege	5784	Insidious.exe
Token: SeDebugPrivilege	5204	Insidious.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1372 wrote to memory of 3008	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3008	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3412	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3396	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3396	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe
PID 1372 wrote to memory of 3124	1372	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/xxvDgROYsuL1nA
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42d46f8,0x7ffbd42d4708,0x7ffbd42d4718
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2278338054776787659,6412924417919698107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:844

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5784

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
55KB

MD5
3bf95563cb618a2688f5163c7e299717

SHA1
ab60be7710c20a05c7497379dacd4769141a1e8a

SHA256
458644c9bcc546a41b0fdd8e0a5249be9235a8bd7b3767b74b616c91e5cb5f61

SHA512
d48cefdabfdc9c12e26e1100cd646dd382b51b9c8f06ee1b2e08dbd269fc5d1cc0f746df8cb46eaa01824d40d3ea9c705af9bce6e7cbe49a93043410333e5220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
ca8a3a7a43c5499eb53dc45f8cc8e8aa

SHA1
5cc6d34096d0177a124c3fdb17aa83afc5f009fa

SHA256
20458d1eb1a90215237d09ec19ee2daca3da77460d33c28e55c943a40d65eaad

SHA512
a65ead4a8593f73b8951dbbd804b43ad9b8184eb460841eab78730b8de19aa7bd5d0165abb8cf8bfaa4f830ac3f99212f52b7f5129e2feb59225fb00c485ecff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
4a32bf4a9f3eef1cd29676c561e7aab9

SHA1
75288e7da65b03d05b7b231d8cd3592a82b21190

SHA256
60da777315ee778cfb5aed19a417b92231ca497140ab264df26847a9ba270012

SHA512
25888419edc5c2c88fc96f9a70df5414d7a957879e5960c75ab905972c6b142515032fc0d5ad60c1c430027450d359de8ffab0988d99eabf26643dddd6af41c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1c8d9897f3988dc1b9130329b7507c0

SHA1
c67002aa0ddbaa650ef055203c69fbc8ba6cff4a

SHA256
939b5d9d2e3df4953fcb0e2ce1848a59c46e6a68ae19316026b3907a0aca76bf

SHA512
76434a137e0b546f4793b9fc0fbd745f47ad88d67105f0e06d869ee86aafd27b101a851527e65c8f61afceab1cb8f0ce5123b106f0679896a8ca68ed9d6dccb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
305a14f984577f60e2018637d53d1326

SHA1
4e86de774f1a801af5cf15e264c7644c27daf24d

SHA256
a485549124ce83e60528c7e6a9d858cc43c589ba2b4d7bc1fafe79b3f5d18270

SHA512
54e32301a029894a931816e4fc5ece411eeffc204dffc546189f16e8ec07cdefdc29f54e2ed91119a6294aa98e9bc44141f23e2420baed4fb77fdadc8b811931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0290f5c0009eb20a986d416771b90666

SHA1
6b3e0cca3e85964f353094ffe9922cbb656e8928

SHA256
971716e0c52d4410d034b75cc56905adffdc33d7c305f98bad6ef96ef9cae564

SHA512
6d21f8ead8e38b8cee32f4a3db008b73664b1226fd04ee2d5338a974b25fc32965c18075c8385006985708c81d89ad9a01457ea988bbeb7b9252b822d9a0a6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f3fc2e58ff8eba7542c5f848c03355c

SHA1
d02b3b0961e34d47df86635e151ab0366a4a09f9

SHA256
0ab623f33bef1668619f64601c13a78c8e1345e180335ecbe023f2e3bb360a3c

SHA512
73ab2e72ea62da27a99a3fee004729ae00ad3264202c28f46f8ae124c67cc1e08e5d75fbd3d08b09293e2d28ad19af82672175baac2c51e79bf215ae9f8664b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
25efa2d01f3969c580b78d0d59ebc4f1

SHA1
e40bd715b84efb62a3f56b2f7018bacc02ee3709

SHA256
758a17ddda6ab43b6fe2add484efc9f63c7d950d2b9fcec893cf167e3bc4ecc9

SHA512
000d6f6c0ea254791a4fe1623133f6437b1101a264d7646e7c63236696926c0dcbc1ed961176279dd7ab97844777a4863b4b0198448947927cb517246f035b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp.dat

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC160.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA34.tmp.tmpdb

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA45.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA46.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA69.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA6A.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 673626.crdownload

Filesize
303KB

MD5
76dc4548eb7f3255913e19fe0a3a9286

SHA1
4e2efa33af6abca5046042f7ed5fb9b17fc8f5af

SHA256
7c0c394c161920494f515bb092e2c7c959f52f6078688153f492414d72089d01

SHA512
12845b0674e89bc0cb46b3c9c6b7dfb4f224751b7274935a555ec9888d4cb4d863b9300a083f253e6e47e561dae7515b13111096172ce1740bc80e7218d43289

Download Submit
\??\pipe\LOCAL\crashpad_1372_EDIDKZSXVHDDQAUI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4252-154-0x000002499AA60000-0x000002499AAB2000-memory.dmp

Filesize
328KB

Download